On Wed, 17 May 2006 15:10:45 +0100 "Dermot Paikkos" <[EMAIL PROTECTED]> wrote:
> I wrote about this yesterday. > > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME > COMMAND > > nobody 17140 1.3 13.1 194984 169432 ? S 09:49 3:58 spamd > child > nobody 18656 1.3 10.4 159208 134328 ? R 10:08 3:43 spamd > child > nobody 21371 1.1 12.7 191072 164440 ? S 10:38 2:51 spamd > child > nobody 21372 1.4 15.1 243424 195616 ? S 10:38 3:34 spamd > child > nobody 22331 1.4 22.7 327064 293176 ? S 10:47 3:32 spamd > child > nobody 22481 1.2 15.6 242200 201256 ? S 10:49 3:10 spamd > child > > I am averaging 200MB per child. > > Here are my other rules: > 70_sare_bayes_poison_nxm.cf # snap > 70_sare_evilnum0.cf # snap > 70_sare_evilnum1.cf # snap > 70_sare_evilnum2.cf # snap > 70_sare_header0.cf # snap > 70_sare_header1.cf # snap > 70_sare_header2.cf # snap > 70_sare_header3.cf # snap > 70_sare_html.cf # snap > 70_sare_obfu0.cf # snap > 70_sare_obfu1.cf # snap > 70_sare_oem.cf # snap > 70_sare_random.cf # snap > 70_sare_specific.cf # snap > 70_sare_unsub.cf # snap > 70_sare_uri0.cf # snap > 72_sare_redirect_post3.0.0.cf # snap > 99_FVGT_Tripwire.cf > 99_sare_fraud_post25x.cf > > > There is a lot of overlap there. What version of SA are you running? > Perhaps we should start removing them one at time and see what > happens to the memory usage. > > Dp. > > Version 3.1.1. I went back to my original list of: TRUSTED_RULESETS="SARE_REDIRECT_POST300 SARE_EVILNUMBERS0 SARE_EVILNUMBERS1 SARE_EVILNUMBERS2 SARE_BAYES_POISON_NXM SARE_HTML SARE_HEADER SARE_SPECIFIC SARE_ADULT SARE_FRAUD SARE_SPOOF SARE_RANDOM SARE_SPAMCOP_TOP200 SARE_OEM SARE_GENLSUBJ SARE_GENLSUBJ4 SARE_GENLSUBJ_ENG SARE_HIGHRISK SARE_UNSUB SARE_URI0 SARE_URI1 SARE_URI3 SARE_URI_ENG SARE_WHITELIST SARE_WHITELIST_SPF SARE_WHITELIST_RCVD SARE_OBFU SARE_OBFU2 SARE_OBFU3 SARE_OBFU4 TRIPWIRE" with the same effect. I didn't see this issue before, so I suspect I'll simply nuke all sare rules, start and start adding them one by one. I'll let you know how it goes =) James > > On 17 May 2006 at 7:27, James Lay wrote: > > > Hello all! > > > > Soo.....yesterday I decided to get gutsy and use just about all the > > rules from SARE. Here's my rulesdujour config: > > > > TRUSTED_RULESETS="ANTIDRUG BLACKLIST BLACKLIST_URI BOGUSVIRUS > > RANDOMVAL SARE_ADULT SARE_BAYES_POISON_NXM SARE_BML > > SARE_EVILNUMBERS0 SARE_EVILNUMBERS1 SARE_EVILNUMBERS2 SARE_FRAUD > > SARE_GENLSUBJ SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_GENLSUBJ2 > > SARE_GENLSUBJ3 SARE_GENLSUBJ_ENG SARE_GENLSUBJ_X30 SARE_HEADER > > SARE_HEADER0 SARE_HEADER1 SARE_HEADER2 SARE_HEADER3 SARE_HEADER_ENG > > SARE_HEADER_X30 SARE_HIGHRISK SARE_HTML SARE_HTML0 SARE_HTML1 > > SARE_HTML2 SARE_HTML3 SARE_HTML4 SARE_HTML_ENG SARE_OBFU SARE_OBFU0 > > SARE_OBFU1 SARE_OBFU2 SARE_OBFU3 SARE_OEM SARE_RANDOM SARE_RATWARE > > SARE_REDIRECT SARE_REDIRECT_POST300 SARE_SPAMCOP_TOP200 > > SARE_SPECIFIC SARE_SPOOF SARE_UNSUB SARE_URI0 SARE_URI1 SARE_URI2 > > SARE_URI3 SARE_URI_ENG SARE_WHITELIST TRIPWIRE" > > > > Now here's the output of ps aux: > > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME > > COMMAND root 3338 31.6 26.8 287636 277940 ? Ss 07:24 > > 0:39 /usr/bin/spamd -u filter -d -m 10 -r /home/filter/run/spamd.pid > > --socketpath=/home/filter/run/spamd filter 3365 19.1 27.1 290940 > > 281204 ? S 07:25 0:14 spamd child filter 3366 0.0 > > 26.7 287636 276788 ? S 07:25 0:00 spamd child > > > > Is this normal? > > > > James > >
