<div style="line-height:1.7;color:#000000;font-size:14px;font-family:Arial"><div>Thanks your response. </div><div><br></div><div>1) Hardware: </div><div>    Processor: I5  2core; RAM: 4GB, Intel H64-chipset; </div><div>2) NIC: <span style="line-height: 1.7;">Intel 82576    </span></div><div><span style="line-height: 1.7;">3)HTTP CPS: 10000 req/s </span></div><div><span style="line-height: 1.7;"><br></span></div><div>We found that the resassemble memory usage is large. </div><div>If we force to free the session, the memory issue is gone. </div><div><br></div><div>we suspect that there is a corner-case: <span style="line-height: 1.7;"> if the flow-session is terminated by an alert,  the flow is not free by engine, it need to timeout to free the session?</span></div><div><span style="line-height: 1.7;"><br></span></div><div><span style="line-height: 1.7;">thanks </span></div><div><span style="line-height: 1.7;">George </span></div><br><br><br><div></div><div id="divNeteaseMailCard"></div><br><pre><br>At 2014-07-25 02:39:53, "Peter Manev" <petermanev@gmail.com> wrote:
>On Thu, Jun 5, 2014 at 2:20 PM, greatwall <13811880491@126.com> wrote:
>> Hi all:
>>
>> I run suricata in Debian(5.0.0) platform. I met an issue that  the memory
>> usage of suricta process is increased from 300MB to 2GB, I had tested the
>> suricata of  1.4.5 /1.4.6/2.0/2.0.1, there is saome issue in these version.
>> my configuration is as following:
>> ==========================================
>> %YAML 1.1
>> ---
>>
>> max-pending-packets: 65000
>> host-mode: auto
>> pid-file: /var/run/suritaca.pid
>> action-order:
>>   - pass
>>   - reject
>>   - drop
>>   - alert
>> default-log-dir: /var/log/suritaca/
>> outputs:
>>   - fast:
>>       enabled: no
>>       filename: fast.log
>>       append: no
>>   - http-log:
>>       enabled: yes
>>       filename: http.log
>>       append: yes
>>   - stats:
>>       enabled: no
>>       filename: stats.log
>>       interval: 8
>> nfq:
>>   mode: accept
>> detect-engine:
>>   - profile: medium
>>   - custom-values:
>>       toclient-src-groups: 200
>>       toclient-dst-groups: 200
>>       toclient-sp-groups: 200
>>       toclient-dp-groups: 300
>>       toserver-src-groups: 200
>>       toserver-dst-groups: 400
>>       toserver-sp-groups: 200
>>       toserver-dp-groups: 250
>>   - sgh-mpm-context: auto
>>   - inspection-recursion-limit: 3000
>> threading:
>>   set-cpu-affinity: yes
>>   cpu-affinity:
>>     - management-cpu-set:
>>         cpu: [ 0, 1 ]
>>     - receive-cpu-set:
>>         cpu: [ 2, 3 ]
>>     - decode-cpu-set:
>>         cpu: [ 4 ]
>>         mode: "balanced"
>>     - stream-cpu-set:
>>         cpu: [ 5 ]
>>     - detect-cpu-set:
>>         cpu: [ 6, 7 ]
>>         mode: "exclusive"
>>         prio:
>>           low: [ "all" ]
>>           medium: [ 6-7 ]
>>           high: [ "all" ]
>>           default: "medium"
>>     - verdict-cpu-set:
>>         cpu: [ 5 ]
>>         prio:
>>           default: "high"
>>     - reject-cpu-set:
>>         cpu: [ 5 ]
>>         prio:
>>           default: "low"
>>     - output-cpu-set:
>>         cpu: [ 5 ]
>>         prio:
>>            default: "medium"
>>
>>   detect-thread-ratio: 1.5
>>
>> cuda:
>>   - mpm:
>>       packet-buffer-limit: 2400
>>       packet-size-limit: 1500
>>       packet-buffers: 10
>>       batching-timeout: 1
>>       page-locked: enabled
>>       device-id: 0
>>       cuda-streams: 2
>> mpm-algo: ac
>> pattern-matcher:
>>   - b2gc:
>>       search-algo: B2gSearchBNDMq
>>       hash-size: low
>>       bf-size: medium
>>   - b2gm:
>>       search-algo: B2gSearchBNDMq
>>       hash-size: low
>>       bf-size: medium
>>   - b2g:
>>       search-algo: B2gSearchBNDMq
>>       hash-size: low
>>       bf-size: medium
>>   - b3g:
>>       search-algo: B3gSearchBNDMq
>>       hash-size: low
>>       bf-size: medium
>>   - wumanber:
>>       hash-size: low
>>       bf-size: medium
>>
>>
>> defrag:
>>   memcap: 32mb
>>   hash-size: 65536
>>   trackers: 65535 # number of defragmented flows to follow
>>   max-frags: 65535 # number of fragments to keep (higher than trackers)
>>   prealloc: yes
>>   timeout: 60
>>
>> flow:
>>   memcap: 512mb
>>   hash-size: 102400
>>   prealloc: 400000
>>   emergency-recovery: 30
>>   prune-flows: 5
>>
>> vlan:
>>   use-for-tracking: true
>>
>> flow-timeouts:
>>   default:
>>     new: 30
>>     established: 300
>>     closed: 0
>>     emergency-new: 10
>>     emergency-established: 100
>>     emergency-closed: 0
>>   tcp:
>>     new: 60
>>     established: 600
>>     closed: 120
>>     emergency-new: 10
>>     emergency-established: 300
>>     emergency-closed: 20
>>   udp:
>>     new: 30
>>     established: 300
>>     emergency-new: 10
>>     emergency-established: 100
>>   icmp:
>>     new: 30
>>     established: 300
>>     emergency-new: 10
>>     emergency-established: 100
>> stream:
>>   memcap: 1024mb
>>   checksum-validation: yes
>>   inline: auto
>>   prealloc-sessions: 32768
>>   midstream: false
>>   max-synack-queued: 16
>>
>>   reassembly:
>>     memcap: 64mb
>>     depth: 1mb
>>     toserver-chunk-size: 2560
>>     toclient-chunksize: 2560
>>     randomize-chunk-size: yes
>>
>> host:
>>   hash-size: 4096
>>   prealloc: 1000
>>   memcap: 16777216
>>
>> logging:
>>   default-log-level: info
>>   default-output-filter:
>>   outputs:
>>   - console:
>>       enabled: no
>>   - file:
>>       enabled: no
>>       filename: /var/log/suritaca/log
>> #  - syslog:
>> #      enabled: no
>> #      facility: local5
>> #      format: "[%i] <%d> -- "
>>
>> pfring:
>>   - interface: eth1
>>     threads: 1
>>     cluster-id: 99
>>     cluster-type: cluster-round-robin
>> ipfw:
>> default-rule-path: /var/log/suritaca/rules/
>> rule-files:
>>  - ips.rules
>> classification-file: /var/log/suritaca/rules/classification.config
>> reference-config-file: /var/log/suritaca/rules/reference.config
>> threshold-file: /var/log/suritaca/rules/threshold.config
>>
>> vars:
>>   address-groups:
>>     HOME_NET:
>> "[192.168.62.245,192.168.62.246,192.168.62.247,192.168.62.248,192.168.62.249,192.168.62.250,192.168.62.251,192.168.62.252,192.168.62.253,192.168.62.254]"
>>     EXTERNAL_NET: "any"
>>     HTTP_SERVERS: "$HOME_NET"
>>     #SMTP_SERVERS: "$HOME_NET"
>>     #SQL_SERVERS: "$HOME_NET"
>>     #DNS_SERVERS: "$HOME_NET"
>>     #TELNET_SERVERS: "$HOME_NET"
>>     #AIM_SERVERS: "$EXTERNAL_NET"
>>     #DNP3_SERVER: "$HOME_NET"
>>     #DNP3_CLIENT: "$HOME_NET"
>>     #MODBUS_CLIENT: "$HOME_NET"
>>     #MODBUS_SERVER: "$HOME_NET"
>>     #ENIP_CLIENT: "$HOME_NET"
>>     #ENIP_SERVER: "$HOME_NET"
>>   port-groups:
>>     HTTP_PORTS: "[80]"
>>     SHELLCODE_PORTS: "!80"
>>     #ORACLE_PORTS: 1521
>> host-os-policy:
>>   windows: [0.0.0.0/0]
>>   bsd: []
>>   bsd-right: []
>>   old-linux: []
>>   linux: []
>>   old-solaris: []
>>   solaris: []
>>   hpux10: []
>>   hpux11: []
>>   irix: []
>>   macos: []
>>   vista: []
>>   windows2k3: []
>> asn1-max-frames: 256
>>
>> pcre:
>>   match-limit: 3500
>>   match-limit-recursion: 1500
>>
>> app-layer:
>>   protocols:
>>     tls:
>>       enabled: no
>>       detection-ports:
>>         toserver: 443
>>
>>       #no-reassemble: yes
>>     dcerpc:
>>       enabled: no
>>     ftp:
>>       enabled: no
>>     ssh:
>>       enabled: no
>>     smtp:
>>       enabled: no
>>     imap:
>>       enabled: detection-only
>>     msn:
>>       enabled: no
>>     smb:
>>       enabled: no
>>       detection-ports:
>>         toserver: 139
>>     dns:
>>       tcp:
>>         enabled: no
>>       udp:
>>         enabled: no
>>     http:
>>       enabled: yes
>>       memcap: 128mb
>>       #libhtp:
>>       # default-config:
>>       #    personality: IDS
>>       #    request-body-limit: 0
>>       #    response-body-limit: 0
>>       #    request-body-minimal-inspect-size: 32kb
>>       #    request-body-inspect-window: 4kb
>>       #    response-body-minimal-inspect-size: 32kb
>>       #    response-body-inspect-window: 4kb
>>       #    double-decode-path: no
>>       #    double-decode-query: no
>> profiling:
>>   rules:
>>     enabled: no
>>     filename: rule_perf.log
>>     append: no
>>     sort: avgticks
>>   packets:
>>     enabled: no
>>     filename: packet_stats.log
>>     append: no
>>     csv:
>>       enabled: no
>>       filename: packet_stats.csv
>> coredump:
>>   max-dump: unlimited
>> ==========================================
>>
>> Could you please help give me a hand?
>> Thanks
>>
>> George
>>
>>
>> 来自网易手机号码邮箱了解更多
>>
>> _______________________________________________
>> Suricata IDS Devel mailing list: oisf-devel@openinfosecfoundation.org
>> Site: http://suricata-ids.org | Participate:
>> http://suricata-ids.org/participate/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>> Redmine: https://redmine.openinfosecfoundation.org/
>
>
>
>How much traffic are you inspecting?
>
>
>-- 
>Regards,
>Peter Manev
>_______________________________________________
>Suricata IDS Devel mailing list: oisf-devel@openinfosecfoundation.org
>Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
>List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>Redmine: https://redmine.openinfosecfoundation.org/
</pre></div><br><br><span title="neteasefooter"><span id="netease_mail_footer"></span></span>