<div style="line-height:1.7;color:#000000;font-size:14px;font-family:Arial"><div>Hi all: </div><div>   </div><div>I run suricata in Debian(5.0.0) platform. I met an issue that  the memory usage of suricta process is increased from 300MB to 2GB, I had tested the suricata of  1.4.5 /1.4.6/2.0/2.0.1, there is saome issue in these version. </div><div>my configuration is as following: </div><div>==========================================</div><div><div>%YAML 1.1</div><div>---</div><div><br></div><div>max-pending-packets: 65000</div><div>host-mode: auto</div><div>pid-file: /var/run/suritaca.pid</div><div>action-order:</div><div>  - pass</div><div>  - reject</div><div>  - drop</div><div>  - alert</div><div>default-log-dir: /var/log/suritaca/</div><div>outputs:</div><div>  - fast:</div><div>      enabled: no</div><div>      filename: fast.log</div><div>      append: no</div><div>  - http-log:</div><div>      enabled: yes</div><div>      filename: http.log</div><div>      append: yes</div><div>  - stats:</div><div>      enabled: no</div><div>      filename: stats.log</div><div>      interval: 8</div><div>nfq:</div><div>  mode: accept</div><div>detect-engine:</div><div>  - profile: medium</div><div>  - custom-values:</div><div>      toclient-src-groups: 200</div><div>      toclient-dst-groups: 200</div><div>      toclient-sp-groups: 200</div><div>      toclient-dp-groups: 300</div><div>      toserver-src-groups: 200</div><div>      toserver-dst-groups: 400</div><div>      toserver-sp-groups: 200</div><div>      toserver-dp-groups: 250</div><div>  - sgh-mpm-context: auto</div><div>  - inspection-recursion-limit: 3000</div><div>threading:</div><div>  set-cpu-affinity: yes</div><div>  cpu-affinity:</div><div>    - management-cpu-set:</div><div>        cpu: [ 0, 1 ]</div><div>    - receive-cpu-set:</div><div>        cpu: [ 2, 3 ]</div><div>    - decode-cpu-set:</div><div>        cpu: [ 4 ]</div><div>        mode: "balanced"</div><div>    - stream-cpu-set:</div><div>        cpu: [ 5 ]</div><div>    - detect-cpu-set:</div><div>        cpu: [ 6, 7 ]</div><div>        mode: "exclusive"</div><div>        prio:</div><div>          low: [ "all" ]</div><div>          medium: [ 6-7 ]</div><div>          high: [ "all" ]</div><div>          default: "medium"</div><div>    - verdict-cpu-set:</div><div>        cpu: [ 5 ]</div><div>        prio:</div><div>          default: "high"</div><div>    - reject-cpu-set:</div><div>        cpu: [ 5 ]</div><div>        prio:</div><div>          default: "low"</div><div>    - output-cpu-set:</div><div>        cpu: [ 5 ]</div><div>        prio:</div><div>           default: "medium"</div><div><br></div><div>  detect-thread-ratio: 1.5</div><div><br></div><div>cuda:</div><div>  - mpm:</div><div>      packet-buffer-limit: 2400</div><div>      packet-size-limit: 1500</div><div>      packet-buffers: 10</div><div>      batching-timeout: 1</div><div>      page-locked: enabled</div><div>      device-id: 0</div><div>      cuda-streams: 2</div><div>mpm-algo: ac</div><div>pattern-matcher:</div><div>  - b2gc:</div><div>      search-algo: B2gSearchBNDMq</div><div>      hash-size: low</div><div>      bf-size: medium</div><div>  - b2gm:</div><div>      search-algo: B2gSearchBNDMq</div><div>      hash-size: low</div><div>      bf-size: medium</div><div>  - b2g:</div><div>      search-algo: B2gSearchBNDMq</div><div>      hash-size: low</div><div>      bf-size: medium</div><div>  - b3g:</div><div>      search-algo: B3gSearchBNDMq</div><div>      hash-size: low</div><div>      bf-size: medium</div><div>  - wumanber:</div><div>      hash-size: low</div><div>      bf-size: medium</div><div><br></div><div><br></div><div>defrag:</div><div>  memcap: 32mb</div><div>  hash-size: 65536</div><div>  trackers: 65535 # number of defragmented flows to follow</div><div>  max-frags: 65535 # number of fragments to keep (higher than trackers)</div><div>  prealloc: yes</div><div>  timeout: 60</div><div><br></div><div>flow:</div><div>  memcap: 512mb</div><div>  hash-size: 102400</div><div>  prealloc: 400000</div><div>  emergency-recovery: 30</div><div>  prune-flows: 5</div><div><br></div><div>vlan:</div><div>  use-for-tracking: true</div><div><br></div><div>flow-timeouts:</div><div>  default:</div><div>    new: 30</div><div>    established: 300</div><div>    closed: 0</div><div>    emergency-new: 10</div><div>    emergency-established: 100</div><div>    emergency-closed: 0</div><div>  tcp:</div><div>    new: 60</div><div>    established: 600 </div><div>    closed: 120</div><div>    emergency-new: 10</div><div>    emergency-established: 300</div><div>    emergency-closed: 20</div><div>  udp:</div><div>    new: 30</div><div>    established: 300</div><div>    emergency-new: 10</div><div>    emergency-established: 100</div><div>  icmp:</div><div>    new: 30</div><div>    established: 300</div><div>    emergency-new: 10</div><div>    emergency-established: 100</div><div>stream:</div><div>  memcap: 1024mb</div><div>  checksum-validation: yes</div><div>  inline: auto</div><div>  prealloc-sessions: 32768 </div><div>  midstream: false</div><div>  max-synack-queued: 16</div><div><br></div><div>  reassembly:</div><div>    memcap: 64mb</div><div>    depth: 1mb</div><div>    toserver-chunk-size: 2560</div><div>    toclient-chunksize: 2560</div><div>    randomize-chunk-size: yes </div><div><br></div><div>host:</div><div>  hash-size: 4096</div><div>  prealloc: 1000</div><div>  memcap: 16777216</div><div><br></div><div>logging:</div><div>  default-log-level: info</div><div>  default-output-filter:</div><div>  outputs:</div><div>  - console:</div><div>      enabled: no </div><div>  - file:</div><div>      enabled: no</div><div>      filename: /var/log/suritaca/log</div><div>#  - syslog:</div><div>#      enabled: no</div><div>#      facility: local5</div><div>#      format: "[%i] <%d> -- "</div><div><br></div><div>pfring:</div><div>  - interface: eth1</div><div>    threads: 1</div><div>    cluster-id: 99</div><div>    cluster-type: cluster-round-robin</div><div>ipfw:</div><div>default-rule-path: /var/log/suritaca/rules/</div><div>rule-files:</div><div> - ips.rules</div><div>classification-file: /var/log/suritaca/rules/classification.config</div><div>reference-config-file: /var/log/suritaca/rules/reference.config</div><div>threshold-file: /var/log/suritaca/rules/threshold.config</div><div><br></div><div>vars:</div><div>  address-groups:</div><div>    HOME_NET: "[192.168.62.245,192.168.62.246,192.168.62.247,192.168.62.248,192.168.62.249,192.168.62.250,192.168.62.251,192.168.62.252,192.168.62.253,192.168.62.254]"</div><div>    EXTERNAL_NET: "any"</div><div>    HTTP_SERVERS: "$HOME_NET"</div><div>    #SMTP_SERVERS: "$HOME_NET"</div><div>    #SQL_SERVERS: "$HOME_NET"</div><div>    #DNS_SERVERS: "$HOME_NET"</div><div>    #TELNET_SERVERS: "$HOME_NET"</div><div>    #AIM_SERVERS: "$EXTERNAL_NET"</div><div>    #DNP3_SERVER: "$HOME_NET"</div><div>    #DNP3_CLIENT: "$HOME_NET"</div><div>    #MODBUS_CLIENT: "$HOME_NET"</div><div>    #MODBUS_SERVER: "$HOME_NET"</div><div>    #ENIP_CLIENT: "$HOME_NET"</div><div>    #ENIP_SERVER: "$HOME_NET"</div><div>  port-groups:</div><div>    HTTP_PORTS: "[80]"</div><div>    SHELLCODE_PORTS: "!80"</div><div>    #ORACLE_PORTS: 1521</div><div>host-os-policy:</div><div>  windows: [0.0.0.0/0]</div><div>  bsd: []</div><div>  bsd-right: []</div><div>  old-linux: []</div><div>  linux: []</div><div>  old-solaris: []</div><div>  solaris: []</div><div>  hpux10: []</div><div>  hpux11: []</div><div>  irix: []</div><div>  macos: []</div><div>  vista: []</div><div>  windows2k3: []</div><div>asn1-max-frames: 256</div><div><br></div><div>pcre:</div><div>  match-limit: 3500</div><div>  match-limit-recursion: 1500</div><div><br></div><div>app-layer:</div><div>  protocols:</div><div>    tls:</div><div>      enabled: no </div><div>      detection-ports:</div><div>        toserver: 443</div><div><br></div><div>      #no-reassemble: yes</div><div>    dcerpc:</div><div>      enabled: no </div><div>    ftp:</div><div>      enabled: no </div><div>    ssh:</div><div>      enabled: no </div><div>    smtp:</div><div>      enabled: no </div><div>    imap:</div><div>      enabled: detection-only</div><div>    msn:</div><div>      enabled: no</div><div>    smb:</div><div>      enabled: no </div><div>      detection-ports:</div><div>        toserver: 139</div><div>    dns:</div><div>      tcp:</div><div>        enabled: no</div><div>      udp:</div><div>        enabled: no   <span class="Apple-tab-span" style="white-space:pre">     </span>  </div><div>    http:</div><div>      enabled: yes</div><div>      memcap: 128mb</div><div>      #libhtp:</div><div>      #<span class="Apple-tab-span" style="white-space:pre"> </span>default-config:</div><div>      #    personality: IDS</div><div>      #    request-body-limit: 0</div><div>      #    response-body-limit: 0</div><div>      #    request-body-minimal-inspect-size: 32kb</div><div>      #    request-body-inspect-window: 4kb</div><div>      #    response-body-minimal-inspect-size: 32kb</div><div>      #    response-body-inspect-window: 4kb</div><div>      #    double-decode-path: no</div><div>      #    double-decode-query: no </div><div>profiling:</div><div>  rules:</div><div>    enabled: no</div><div>    filename: rule_perf.log</div><div>    append: no</div><div>    sort: avgticks</div><div>  packets:</div><div>    enabled: no</div><div>    filename: packet_stats.log</div><div>    append: no</div><div>    csv:</div><div>      enabled: no</div><div>      filename: packet_stats.csv</div><div>coredump:</div><div>  max-dump: unlimited</div></div><div><span style="line-height: 1.7;">==========================================</span></div><div><br></div><div>Could you please help give me a hand? </div><div>Thanks </div><div><br></div><div>George </div></div><br><br><span title="neteasefooter"><span id="netease_mail_footer"><div id="netease_mail_footer"><div style="border-top:#CCCCCC 1px solid;padding:10px 5px;font-size:12px;color:#666;line-height:22px">来自网易手机号码邮箱<a id="mobile_set" sys="1" log=1 logid="free_sms_20120504" href="http://shouji.163.com" target="_blank" style="color:#0000FF">了解更多</a></div></div>
</span></span>