Hi,<div><br></div><div><div> I use 'top' command, my memory is as follows:</div><div> </div><div>Mem: 3080880k total, 356708k used, 2724172k free, 6452k buffers</div><div>Swap: 2650684k total, 0k used, 2650684k free, 83212k cached</div>
<div><br></div><div>When suricata starts, it used about 6.6% (~203MB). But it become larger and larger.</div><div><br></div><div>The following is some log when suricata starts.</div><div><br></div><div>3/12/2012 -- 08:44:50 - <Info> - AutoFP mode using default "Active Packets" flow load balancer</div>
<div>3/12/2012 -- 08:44:50 - <Info> - Use pid file /var/run/suricata.pid from config file.</div><div>3/12/2012 -- 08:44:50 - <Info> - preallocated 5000 packets. Total memory 15440000</div><div>3/12/2012 -- 08:44:50 - <Info> - allocated 131072 bytes of memory for the host hash... 4096 buckets of size 32</div>
<div>3/12/2012 -- 08:44:50 - <Info> - preallocated 1000 hosts of size 72</div><div>3/12/2012 -- 08:44:50 - <Info> - host memory usage: 203072 bytes, maximum: 16777216</div><div>3/12/2012 -- 08:44:50 - <Info> - allocated 2097152 bytes of memory for the flow hash... 65536 buckets of size 32</div>
<div>3/12/2012 -- 08:44:50 - <Info> - preallocated 10000 flows of size 176</div><div>3/12/2012 -- 08:44:50 - <Info> - flow memory usage: 3857152 bytes, maximum: 33554432</div><div>3/12/2012 -- 08:44:50 - <Info> - using magic-file /usr/share/file/magic</div>
<div>3/12/2012 -- 08:44:53 - <Error> - [ERRCODE: SC_ERR_UNKNOWN_DECODE_EVENT(191)] - unknown decode event "ipv6.ipv4_in_ipv6_too_small"</div><div>3/12/2012 -- 08:44:53 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert pkthdr any any -> any any (msg:"SURICATA IPv4-in-IPv6 packet too short"; decode-event:ipv6.ipv4_in_ipv6_too_small; sid:2200082; rev:1;)" from file /etc/suricata/rules/decoder-events.rules at line 93</div>
<div>3/12/2012 -- 08:44:53 - <Error> - [ERRCODE: SC_ERR_UNKNOWN_DECODE_EVENT(191)] - unknown decode event "ipv6.ipv4_in_ipv6_wrong_version"</div><div>3/12/2012 -- 08:44:53 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert pkthdr any any -> any any (msg:"SURICATA IPv4-in-IPv6 invalid protocol"; decode-event:ipv6.ipv4_in_ipv6_wrong_version; sid:2200083; rev:1;)" from file /etc/suricata/rules/decoder-events.rules at line 94</div>
<div>3/12/2012 -- 08:44:53 - <Error> - [ERRCODE: SC_ERR_UNKNOWN_DECODE_EVENT(191)] - unknown decode event "ipv6.ipv6_in_ipv6_too_small"</div><div>3/12/2012 -- 08:44:53 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert pkthdr any any -> any any (msg:"SURICATA IPv6-in-IPv6 packet too short"; decode-event:ipv6.ipv6_in_ipv6_too_small; sid:2200084; rev:1;)" from file /etc/suricata/rules/decoder-events.rules at line 96</div>
<div>3/12/2012 -- 08:44:53 - <Error> - [ERRCODE: SC_ERR_UNKNOWN_DECODE_EVENT(191)] - unknown decode event "ipv6.ipv6_in_ipv6_wrong_version"</div><div>3/12/2012 -- 08:44:53 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert pkthdr any any -> any any (msg:"SURICATA IPv6-in-IPv6 invalid protocol"; decode-event:ipv6.ipv6_in_ipv6_wrong_version; sid:2200085; rev:1;)" from file /etc/suricata/rules/decoder-events.rules at line 97</div>
<div>3/12/2012 -- 08:44:53 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file /etc/suricata/rules/emerging-botcc.rules: No such file or directory.</div><div>3/12/2012 -- 08:44:53 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file /etc/suricata/rules/emerging-ciarmy.rules: No such file or directory.</div>
<div>3/12/2012 -- 08:44:53 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file /etc/suricata/rules/emerging-compromised.rules: No such file or directory.</div><div>3/12/2012 -- 08:44:53 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file /etc/suricata/rules/emerging-drop.rules: No such file or directory.</div>
<div>3/12/2012 -- 08:44:53 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file /etc/suricata/rules/emerging-dshield.rules: No such file or directory.</div><div>3/12/2012 -- 08:44:53 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file /etc/suricata/rules/emerging-tor.rules: No such file or directory.</div>
<div>3/12/2012 -- 08:44:53 - <Info> - 41 rule files processed. 6106 rules succesfully loaded, 4 rules failed</div><div>3/12/2012 -- 08:44:54 - <Info> - 6114 signatures processed. 4 are IP-only rules, 2880 are inspecting packet payload, 3885 inspect application layer, 72 are decoder event only</div>
<div>3/12/2012 -- 08:44:54 - <Info> - building signature grouping structure, stage 1: adding signatures to signature source addresses... complete</div><div>3/12/2012 -- 08:44:54 - <Info> - building signature grouping structure, stage 2: building source address list... complete</div>
<div>3/12/2012 -- 08:44:56 - <Info> - building signature grouping structure, stage 3: building destination address lists... complete</div><div>3/12/2012 -- 08:44:57 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/etc/suricata//threshold.config": No such file or directory</div>
<div>3/12/2012 -- 08:44:57 - <Info> - Core dump size is unlimited.</div><div>3/12/2012 -- 08:44:57 - <Info> - fast output device (regular) initialized: fast.log</div><div>3/12/2012 -- 08:44:57 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB</div>
<div>3/12/2012 -- 08:44:57 - <Info> - Using 1 live device(s).</div><div>3/12/2012 -- 08:44:57 - <Info> - Unable to find pcap config for interface wafbridge1, using default value</div><div>3/12/2012 -- 08:44:57 - <Info> - using interface wafbridge1</div>
<div>3/12/2012 -- 08:44:57 - <Info> - RunModeIdsPcapAutoFp initialised</div><div>3/12/2012 -- 08:44:57 - <Info> - stream "max-sessions": 262144</div><div>3/12/2012 -- 08:44:57 - <Info> - stream "prealloc-sessions": 32768</div>
<div>3/12/2012 -- 08:44:57 - <Info> - stream "memcap": 33554432</div><div>3/12/2012 -- 08:44:57 - <Info> - stream "midstream" session pickups: disabled</div><div>3/12/2012 -- 08:44:57 - <Info> - stream "async-oneside": disabled</div>
<div>3/12/2012 -- 08:44:57 - <Info> - stream "checksum-validation": enabled</div><div>3/12/2012 -- 08:44:57 - <Info> - stream."inline": disabled</div><div>3/12/2012 -- 08:44:57 - <Info> - stream.reassembly "memcap": 67108864</div>
<div>3/12/2012 -- 08:44:57 - <Info> - stream.reassembly "depth": 1048576</div><div>3/12/2012 -- 08:44:57 - <Info> - stream.reassembly "toserver-chunk-size": 2560</div><div>3/12/2012 -- 08:44:57 - <Info> - stream.reassembly "toclient-chunk-size": 2560</div>
<div>3/12/2012 -- 08:44:57 - <Info> - all 7 packet processing threads, 3 management threads initialized, engine started.</div><div><br></div><div><br></div><div>My testing network is like this.</div><div><br></div><div>
Working Network ------Suricata-------Internet</div><div><br></div><div>Working Network bandwidth is about 8~30Mbit/s. Each traffic we visit Internet is checked by Suricata. </div><div><br></div><div>Thank you.</div><div>
<br></div><div><br></div><br><div class="gmail_quote">On Fri, Nov 30, 2012 at 6:44 PM, Peter Manev <span dir="ltr"><<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br><br>You mention that you have small traffic - how much memory does Suricata use? how many rules do you load?<br><br>thank you<br><br><div class="gmail_quote"><div><div class="h5">On Fri, Nov 30, 2012 at 3:50 AM, xbadou xbadou <span dir="ltr"><<a href="mailto:xbadou@gmail.com" target="_blank">xbadou@gmail.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">Thank you very much.<div><br></div><div>But I want to known, whether I can do something to limit the max memory usage of suricata. Because I just have very small network traffic. I think 4 GB is maybe enough to me. I just want suricata keep alive if it can't get more memory. Or suricata do some memory clean jobs if it can't allocate more memory.</div>
<div><br></div><div>If suricata get a segfault very offen, I think I may need a watchdog to watch this and restart it.</div><div><div><div> <br><br><div class="gmail_quote">On Fri, Nov 30, 2012 at 10:26 AM, Marcos Rodriguez <span dir="ltr"><<a href="mailto:marcos.e.rodriguez@gmail.com" target="_blank">marcos.e.rodriguez@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br><br><div class="gmail_quote"><div>On Thu, Nov 29, 2012 at 8:23 PM, xbadou xbadou <span dir="ltr"><<a href="mailto:xbadou@gmail.com" target="_blank">xbadou@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Yes, I am running debian 5 with kernel 2.6.31.14 32bit。 And the system ram size is 2GB*2.<div><br></div><div>So, if it is really this issue. How can I avoid this coredump happen? Can I change some settings in the suricata.yaml file?</div>
<div> </div><div>Thanks.</div></blockquote><div><br></div><div><br></div></div><div>At the bottom of the suricata.yaml file, you'll find this section:</div><div><br></div><div># Suricata core dump configuration. Limits the size of the core dump file to</div>
<div># approximately max-dump. The actual core dump size will be a multiple of the</div><div># page size. Core dumps that would be larger than max-dump are truncated. On</div><div># Linux, the actual core dump size may be a few pages larger than max-dump.</div>
<div># Setting max-dump to 0 disables core dumping.</div><div># Setting max-dump to 'unlimited' will give the full core dump file.</div><div># On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size</div>
<div># to be 'unlimited'.</div><div><br></div><div>coredump:</div><div> max-dump: unlimited</div><div><br></div><div>Change the max-dump to 0 to disable. :o)</div><span><font color="#888888"><div>
<br></div><div>marcos </div></font></span></div>
</blockquote></div><br></div>
</div></div><br></div></div><div class="im">_______________________________________________<br>
Suricata IDS Devel mailing list: <a href="mailto:oisf-devel@openinfosecfoundation.org" target="_blank">oisf-devel@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Participate: <a href="http://suricata-ids.org/participate/" target="_blank">http://suricata-ids.org/participate/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
Redmine: <a href="https://redmine.openinfosecfoundation.org/" target="_blank">https://redmine.openinfosecfoundation.org/</a><br></div></blockquote></div><span class="HOEnZb"><font color="#888888"><br><br clear="all"><br>
-- <br><div>Regards,</div>
<div>Peter Manev</div><br>
</font></span></blockquote></div><br></div>