Argus memory issues

Russell Fulton r.fulton at auckland.ac.nz
Sun Aug 19 22:38:39 EDT 2007 

I have snort rules that find storm worm -- so far we have had 3 so I
doubt if it is that. As for skype the discussion that I have seen on
other 'edu' lists suggest that the skype "DDOS" is linked to supernodes
and we have so little bandwidth compared with most US institutions that
we have never seen a supernode here (and long may it stay that way ;).

I've been going around my other sensors and on all of them argus is
sitting on around 200MB of memory all of which is locked into physical
memory.  This includes some that have been running for weeks.

I'm coming to the conclusion that this problem has been with us for some
time and what happens is that argus grows and settles at a bloated size
(around 200MB if your are collecting just flowdata and much bigger if
you are collecting content).

In my case I am having trouble on one sensor where I have two argi and a
snort instance which between them are hogging 1.5GB of memory on a 1GB
system.  My other sensors which only have 1 copy of argus are fine, not
because nothing is wrong, but because there is enough physical memory to
cope with the bloat.

I suggest that others go and check their sensors and see just how much
memory the argus processes are using -- you may be surprised.

Russell.

Mike Iglesias wrote:
> Peter Van Epp wrote:
>   
>> 	That has been my experience too. I tried going back to versions that
>> I swear were working fine, but now they exhibit the same problem and I don't
>> know why. There may be a traffic issue though, my 2.0.6 production system 
>> while not eating memory (it has been at 256K since June last year as I recall)
>> is taking a long time in perl post processing, but I can't find any obvious
>> reason why. Scanning looks reasonably normal, traffic isn't overly high. I too
>> am wondering about storm because I too am not recognizing anything I think
>> is storm traffic (things have been quiet on the infection front for months)
>> and I expect I have storm infections here that I'm just not seeing :-).
>>     
>
> Look for systems with a lot of UDP traffic to find stormworm, or recently,
> skype.  The recent Skype problems have caused systems here to have over
> 170,000 other systems talking to them via UDP.  You may be seeing some of
> that, but that didn't start happening until Wed or Thurs last week.
>
>
>

More information about the argus mailing list