Argus memory issues

[Peter Van Epp]

On Mon, Aug 20, 2007 at 01:39:21PM +1200, Russell Fulton wrote:
> Hi All,
> 
> Sorry, I'm a bit late to the party :)
> 
> I have just restarted argus on the sensor that I have been having
> trouble with and in a couple of hours one instance of argus has grown to
> well over 200MB (this one is collecting content).  One on the same
> machine just collecting flow data is now at 99MB  both are still increasing.
> 
> No wonder the box is starting to swap.
> 
> Do we have any idea when this bug crept in?  So far as I can tell I
> started having problems less than a month ago roughly coincident with
> installing the 3.0.0.0 release veriom.  Previously I had been running
> RC40 without problems since February.   Yesterday I went back to RC40
> and I am having the same trouble.
> 
> I wonder if there is some new application that is tickling this bug in
> argus -- e.g. changes to SKYPE or something like that that both Peter
> and I would see but commercial folk would block.  I'd love to blame
> storm worm but we have not seen much of it here.
> 
> One other observation: argus keeps *all* its memory in physical memory
> -- it does not get swapped out so this is killing snort which is getting
> swapped aggressively.
> 
> Russell

	That has been my experience too. I tried going back to versions that
I swear were working fine, but now they exhibit the same problem and I don't
know why. There may be a traffic issue though, my 2.0.6 production system 
while not eating memory (it has been at 256K since June last year as I recall)
is taking a long time in perl post processing, but I can't find any obvious
reason why. Scanning looks reasonably normal, traffic isn't overly high. I too
am wondering about storm because I too am not recognizing anything I think
is storm traffic (things have been quiet on the infection front for months)
and I expect I have storm infections here that I'm just not seeing :-).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada