<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body dir="auto">
Hello,
<div><br>
</div>
<div>We don‘t have the same problem, because we don‘t change $HOME_NET while reloading. But I can provide you with stats from a case of massive increased memory consumtion while/after reloading if it helps? (suricata dev-4.1.)</div>
<div><br>
</div>
<div>Cheers,</div>
<div><br>
</div>
<div>Konstantin <br>
<br>
<div id="AppleMailSignature"><span style="background-color: rgba(255, 255, 255, 0);">-- <br>
Konstantin Klinger<br>
Security Content Engineer<br>
Threat Detection & Hunting (TDH)<br>
<br>
<a href="tel:+49%20160%2095476260" dir="ltr" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="1">+49 160 95476260</a><br>
<a href="mailto:konstantin.klinger@dcso.de" dir="ltr" x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="2">konstantin.klinger@dcso.de</a><br>
<br>
<a href="http://dcso.de/" dir="ltr" x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="3">dcso.de</a><br>
<a href="http://blog.dcso.de/" dir="ltr" x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="4">blog.dcso.de</a><br>
<br>
PGP: 180D C5B3 3C68 5C9A FB58 6F33 400E 5A35 3307 8D46<br>
 <br>
DCSO Deutsche Cyber-Sicherheitsorganisation GmbH • EUREF-Campus<br>
22 • 10829 Berlin, Germany<br>
Geschäftsführer: Dr.-Ing. Gunnar Siebert, Sitz der Gesellschaft: Berlin,<br>
Amtsgericht Charlottenburg HRB 172382</span></div>
<div><br>
Am 18.09.2018 um 22:53 schrieb Andreas Herz <<a href="mailto:andi@geekosphere.org">andi@geekosphere.org</a>>:<br>
<br>
</div>
<blockquote type="cite">
<div><span>On 17/09/18 at 17:21, Breno Silva wrote:</span><br>
<blockquote type="cite"><span>Maybe another important information, the HOME_NET variable is set by</span><br>
</blockquote>
<blockquote type="cite"><span>"include homenet.yaml" file.</span><br>
</blockquote>
<span></span><br>
<span>I had a similiar setup some years ago and the issue was fixed in a</span><br>
<span>former suricata version. I could create a testcase and reproduce it</span><br>
<span>quite easy, can you do the same?</span><br>
<span></span><br>
<span>You could then look into the memory consumption from reload to reload.</span><br>
<span>It would be also interesting to see how much the memory consumption</span><br>
<span>increases by each reload and if there is a bigger jump within the first</span><br>
<span>reloads.</span><br>
<span></span><br>
<span>Do you have the same behaviour if you _don't_ change the HOME_NET</span><br>
<span>settings?</span><br>
<span></span><br>
<blockquote type="cite"><span>On Mon, Sep 17, 2018 at 5:07 PM Breno Silva <<a href="mailto:breno.silva@gmail.com">breno.silva@gmail.com</a>> wrote:</span><br>
</blockquote>
<blockquote type="cite"><span></span><br>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>I'm looking to my logs and it takes ~100 reloads to crash.</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>But not sure if amount of rules will change it or not.</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span></span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>On Mon, Sep 17, 2018 at 5:06 PM Breno Silva <<a href="mailto:breno.silva@gmail.com">breno.silva@gmail.com</a>> wrote:</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span></span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>Victor,</span><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span></span><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>Suricata 4.0.4</span><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>It reports :</span><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>11/9/2018 -- 13:11:22 - <Notice> - rule reload complete</span><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>11/9/2018 -- 13:11:48 - <Notice> - rule reload starting</span><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>11/9/2018 -- 13:12:19 - <Error> - [ERRCODE: SC_ERR_MEM_ALLOC(1)] - Error</span><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>allocating memory</span><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>...</span><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span></span><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>12/9/2018 -- 07:38:49 - <Notice> - rule reload complete</span><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>12/9/2018 -- 07:39:46 - <Notice> - rule reload starting</span><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>12/9/2018 -- 07:40:17 - <Error> - [ERRCODE: SC_ERR_MEM_ALLOC(1)] - Error</span><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>allocating memory</span><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>...</span><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span></span><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>12/9/2018 -- 10:01:54 - <Notice> - rule reload complete</span><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>12/9/2018 -- 10:02:52 - <Notice> - rule reload starting</span><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>12/9/2018 -- 10:03:24 - <Error> - [ERRCODE: SC_ERR_MEM_ALLOC(1)] - Error</span><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>allocating memory</span><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>...</span><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span></span><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>12/9/2018 -- 14:00:09 - <Notice> - rule reload complete</span><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>12/9/2018 -- 14:01:04 - <Notice> - rule reload starting</span><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>12/9/2018 -- 14:01:37 - <Error> - [ERRCODE: SC_ERR_MEM_ALLOC(1)] - Error</span><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>allocating memory</span><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span></span><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>On Mon, Sep 17, 2018 at 5:01 PM Victor Julien <<a href="mailto:lists@inliniac.net">lists@inliniac.net</a>> wrote:</span><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span></span><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>On 17-09-18 21:55, Breno Silva wrote:</span><br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>I have a tool that monitor all my interfaces ipv4/ipv6 addresses and</span><br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>when they change, the tool re-define HOMET_NET and send signal to</span><br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>suricata for rule reloading. Looks like there is a memory leak when it</span><br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>happens and suricata process memory increase until crash.</span><br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span></span><br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>All yaml files exists and are successfully loaded.</span><br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span></span><br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>Can you add some relevant info? What suri version, what did you try</span><br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>already, how often does it reload before the crash, what kind of crash,</span><br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>etc?</span><br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span></span><br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>--</span><br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>---------------------------------------------</span><br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>Victor Julien</span><br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span><a href="http://www.inliniac.net/">http://www.inliniac.net/</a></span><br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>PGP: <a href="http://www.inliniac.net/victorjulien.asc">
http://www.inliniac.net/victorjulien.asc</a></span><br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>---------------------------------------------</span><br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span></span><br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>_______________________________________________</span><br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>Suricata IDS Devel mailing list: <a href="mailto:oisf-devel@openinfosecfoundation.org">
oisf-devel@openinfosecfoundation.org</a></span><br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>Site: <a href="http://suricata-ids.org">http://suricata-ids.org</a> | Participate:</span><br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span><a href="http://suricata-ids.org/participate/">http://suricata-ids.org/participate/</a></span><br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>List:</span><br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span><a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a></span><br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span>Redmine: <a href="https://redmine.openinfosecfoundation.org/">
https://redmine.openinfosecfoundation.org/</a></span><br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span></span><br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite"><span></span><br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<span></span><br>
<blockquote type="cite"><span>_______________________________________________</span><br>
</blockquote>
<blockquote type="cite"><span>Suricata IDS Devel mailing list: <a href="mailto:oisf-devel@openinfosecfoundation.org">
oisf-devel@openinfosecfoundation.org</a></span><br>
</blockquote>
<blockquote type="cite"><span>Site: <a href="http://suricata-ids.org">http://suricata-ids.org</a> | Participate:
<a href="http://suricata-ids.org/participate/">http://suricata-ids.org/participate/</a></span><br>
</blockquote>
<blockquote type="cite"><span>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel">
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a></span><br>
</blockquote>
<blockquote type="cite"><span>Redmine: <a href="https://redmine.openinfosecfoundation.org/">
https://redmine.openinfosecfoundation.org/</a></span><br>
</blockquote>
<blockquote type="cite"><span></span><br>
</blockquote>
<span></span><br>
<span></span><br>
<span>-- </span><br>
<span>Andreas Herz</span><br>
<span>_______________________________________________</span><br>
<span>Suricata IDS Devel mailing list: <a href="mailto:oisf-devel@openinfosecfoundation.org">
oisf-devel@openinfosecfoundation.org</a></span><br>
<span>Site: <a href="http://suricata-ids.org">http://suricata-ids.org</a> | Participate:
<a href="http://suricata-ids.org/participate/">http://suricata-ids.org/participate/</a></span><br>
<span>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel">
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a></span><br>
<span>Redmine: <a href="https://redmine.openinfosecfoundation.org/">https://redmine.openinfosecfoundation.org/</a></span><br>
<span></span><br>
</div>
</blockquote>
</div>
</body>
</html>