<div dir="ltr"><div>To answer my own question, since it's a 32bit compiled binary, the limit for the process address map is 4GB.<br><br></div>I'll have to prune the resource usage, or re-compile the binary and libraries 64bit.<br>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Dec 18, 2013 at 4:33 PM, Mark Ashley <span dir="ltr"><<a href="mailto:mark@ibiblio.org" target="_blank">mark@ibiblio.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div><div>Solaris 11 x86<br></div>X4600 128GB RAM, 16 x AMD8220s<br></div>Suricata master-2013-12-02<br>
<br></div>I'm seeing memory "exhaustion" issues with starting suricata with pretty much all of the rules switched on, including the emerging ones. The process gets up to about 3.85GB RSS and then crashes with the errors below.<br>
<br></div>I'm looking at the suricata.yaml file and trying to find out where I can increase limits to allow the rules to be there, and suricata to cache them. There's no issue with available RAM or a ulimit setting. It can have it all.<br>
<br></div>ta,<br>Mark.<br><br><div><div><br>[1<font size="1"><span style="font-family:courier new,monospace">] 18/12/2013 -- 15:01:53 - (suricata.c:1877) <Info> (PostConfLoadedSetup) -- No 'host-mode': suricata is in IDS mode, using default setting 'sniffer-only'<br>
[1] 18/12/2013 -- 15:01:53 - (defrag-hash.c:209) <Info> (DefragInitConfig) -- allocated 1280000 bytes of memory for the defrag hash... 40000 buckets of size 32<br>[1] 18/12/2013 -- 15:01:53 - (defrag-hash.c:236) <Info> (DefragInitConfig) -- preallocated 50000 defrag trackers of size 136<br>
[1] 18/12/2013 -- 15:01:53 - (defrag-hash.c:243) <Info> (DefragInitConfig) -- defrag memory usage: 8080000 bytes, maximum: 4294967296<br>[1] 18/12/2013 -- 15:01:53 - (tmqh-flow.c:61) <Info> (TmqhFlowRegister) -- AutoFP mode using "Round Robin" flow load balancer<br>
[1] 18/12/2013 -- 15:01:53 - (suricata.c:1910) <Info> (PostConfLoadedSetup) -- Will use direct allocation instead of packet pool<br>[1] 18/12/2013 -- 15:01:53 - (host.c:202) <Info> (HostInitConfig) -- allocated 131072 bytes of memory for the host hash... 4096 buckets of size 32<br>
[1] 18/12/2013 -- 15:01:53 - (host.c:227) <Info> (HostInitConfig) -- preallocated 5000 hosts of size 96<br>[1] 18/12/2013 -- 15:01:53 - (host.c:229) <Info> (HostInitConfig) -- host memory usage: 651072 bytes, maximum: <a href="tel:17179869184" value="+17179869184" target="_blank">17179869184</a><br>
[1] 18/12/2013 -- 15:01:53 - (flow.c:383) <Info> (FlowInitConfig) -- allocated 2097152 bytes of memory for the flow hash... 65536 buckets of size 32<br>[1] 18/12/2013 -- 15:01:55 - (flow.c:409) <Info> (FlowInitConfig) -- preallocated 1000000 flows of size 236<br>
[1] 18/12/2013 -- 15:01:55 - (flow.c:411) <Info> (FlowInitConfig) -- flow memory usage: 242097152 bytes, maximum: 4294967296<br>[1] 18/12/2013 -- 15:01:55 - (reputation.c:459) <Info> (SRepInit) -- IP reputation disabled<br>
[1] 18/12/2013 -- 15:01:55 - (util-magic.c:62) <Info> (MagicInit) -- using magic-file /usr/local/share/misc/magic.mgc<br>[1] 18/12/2013 -- 15:01:55 - (suricata.c:1753) <Info> (SetupDelayedDetect) -- Delayed detect disabled<br>
[1] 18/12/2013 -- 15:02:11 - (detect.c:453) <Info> (SigLoadSignatures) -- 49 rule files processed. 15023 rules successfully loaded, 0 rules failed<br>[1] 18/12/2013 -- 15:02:11 - (detect.c:2564) <Info> (SigAddressPrepareStage1) -- 15040 signatures processed. 1039 are IP-only rules, 5182 are inspecting packet payload, 10662 inspect application layer, 83 are decoder event only<br>
[1] 18/12/2013 -- 15:02:11 - (detect.c:2570) <Info> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: preprocessing rules... complete<br>[1] 18/12/2013 -- 15:02:13 - (detect.c:3194) <Info> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building source address list... complete<br>
[1] 18/12/2013 -- 15:03:39 - (util-mpm-ac.c:430) <Error> (SCACInitNewState) -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - SCRealloc failed: Not enough space, while trying to allocate 15066112 bytes<br>[1] 18/12/2013 -- 15:03:39 - (util-mpm-ac.c:430) <Error> (SCACInitNewState) -- [ERRCODE: SC_ERR_FATAL(171)] - Out of memory. The engine cannot be initialized. Exiting...</span></font><br>
<br></div></div></div>
</blockquote></div><br></div>