<div dir="ltr">ok forget about last engine error. One of my PCAP reads had a path error that I had repeated a few times before realizing. The high settings I set resolves the alloc errors but basically it is failing to parse any luajit rules now even though it is going through them ok and when I setup the rules I checked that the correct packets and individual lua files were tested against file types. <br></div><div class="gmail_extra"><br><div class="gmail_quote">On 18 January 2016 at 10:50, Peter Manev <span dir="ltr"><<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Mon, Jan 18, 2016 at 11:43 AM, Kevin Ross <<a href="mailto:kevross33@googlemail.com">kevross33@googlemail.com</a>> wrote:<br>
> Actually increasing it significantly higher seems to have resolved those<br>
> error messages:<br>
><br>
> flow:<br>
> memcap: 4gb<br>
> hash-size: 15728640<br>
> prealloc: 8000000<br>
> emergency-recovery: 30<br>
> #managers: 1 # default to one flow manager<br>
> #recyclers: 1 # default to one flow recycler thread<br>
><br>
<br>
</span>Can you try with<br>
hash-size: 65534<br>
prealloc: 20000<br>
<br>
and see if any diff ?<br>
<div class="HOEnZb"><div class="h5"><br>
> However now it is failing to actually parse any signatures from luajit.rules<br>
><br>
> On 18 January 2016 at 10:35, Kevin Ross <<a href="mailto:kevross33@googlemail.com">kevross33@googlemail.com</a>> wrote:<br>
>><br>
>> Hi,<br>
>><br>
>> yes I found that during initial troubleshooting and checking internet for<br>
>> same issues. It seems to be the same but changing these values have not<br>
>> resolved this for me:<br>
>><br>
>> [16087] 18/1/2016 -- 10:33:02 - (util-pool.c:169) <Error> (PoolInit) --<br>
>> [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error<br>
>> [16087] 18/1/2016 -- 10:33:03 - (detect-lua.c:221) <Error><br>
>> (DetectLuajitSetupStatesPool) -- [ERRCODE: SC_ERR_LUA_ERROR(212)] - luastate<br>
>> pool init failed, lua/luajit keywords won't work<br>
>><br>
>> I have raised the memcaps to 1gb and the prealloc to 20,000 and then<br>
>> 40,000 to see if that helps but I still get the same issue.<br>
>><br>
>><br>
>> On 18 January 2016 at 10:20, Peter Manev <<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>> wrote:<br>
>>><br>
>>> On Mon, Jan 18, 2016 at 11:14 AM, Kevin Ross <<a href="mailto:kevross33@googlemail.com">kevross33@googlemail.com</a>><br>
>>> wrote:<br>
>>> ><br>
>>> > Hi,<br>
>>> ><br>
>>> > On a relatively new build what causes this error which is preventing<br>
>>> > luajit rules from working? I get this error which seems to be the base issue<br>
>>> > before all the rule errors and luajit detect errors then occur:<br>
>>> ><br>
>>> > (detect-lua.c:221) <Error> (DetectLuajitSetupStatesPool) -- [ERRCODE:<br>
>>> > SC_ERR_LUA_ERROR(212)] - luastate pool init failed, lua/luajit keywords<br>
>>> > won't work<br>
>>> ><br>
>>> > The compile however goes ok for luajit:<br>
>>> ><br>
>>> ><br>
>>> ><br>
>>> > The system is running on Centos 7 with latest Suciricata Dev version<br>
>>> > currently (as I upgraded to try and see if that fixes it and also because I<br>
>>> > use forward proxy stuff). This runs in IDS mode only.<br>
>>> ><br>
>>><br>
>>> Hi<br>
>>><br>
>>> Similar to this -<br>
>>> <a href="https://redmine.openinfosecfoundation.org/issues/1611" rel="noreferrer" target="_blank">https://redmine.openinfosecfoundation.org/issues/1611</a><br>
>>> ?<br>
>>><br>
>>> Can you try to see if adjusting the memcaps and prealloc will work for<br>
>>> you ?<br>
>>><br>
>>> Thanks<br>
>>><br>
>>> ><br>
>>> > Kind Regards,<br>
>>> > Kevin Ross<br>
>>> ><br>
>>> > _______________________________________________<br>
>>> > Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
>>> > Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support:<br>
>>> > <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
>>> > List:<br>
>>> > <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
>>> > Suricata User Conference November 4 & 5 in Barcelona:<br>
>>> > <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>
>>><br>
>>><br>
>>><br>
>>><br>
>>> --<br>
>>> Regards,<br>
>>> Peter Manev<br>
>><br>
>><br>
><br>
<br>
<br>
<br>
</div></div><span class="HOEnZb"><font color="#888888">--<br>
Regards,<br>
Peter Manev<br>
</font></span></blockquote></div><br></div>