Symptom

Snort consumes memory causing block depletion. In some cases, Snort enters an uninterruptible sleep (Process in D state in top.) Example: top - 2020-02-28 14:12:48 up 85 days, 12:21, 3 users, load average: 21.10, 10. Tasks: 459 total, 2 running, 400 sleeping, 0 stopped, 57 zombie %Cpu(s): 1.3 us, 9.5 sy, 0.3 ni, 41.7 id, 46.7 wa, 0.0 hi, 0.5 si, 0.0 st KiB Mem : 65725364 total, 1165064 free, 57217128 used, 7343172 buff/cache KiB Swap: 8371552 total, 7483632 free, 887920 used. 4314412 avail Mem PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 23743 root 1 -19 5274012 3.722g 216744 D 20.7 5.9 26514:31 snort 23751 root 1 -19 5361808 3.845g 217064 D 20.6 6.1 23857:23 snort This will result in packets being dropped and block exhaustion.

Conditions

Workaround

None. To recover, restart Snort with pmtool restartbytype snort to release memory and clear swapped memory pages in use by snort.

Further Problem Description

show blocks SIZE MAX LOW CNT 0 2700 2696 2700 4 100 100 100 80 1000 993 1000 256 8324 12 8319 1550 6494 0 6492 2048 100 99 100 2560 164 163 164 4096 100 99 100 8192 100 100 100 9472 10000 1223 10000 16384 100 100 100 65536 16 16 16