<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Lucida Calligraphy";
panose-1:3 1 1 1 1 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoNoSpacing, li.MsoNoSpacing, div.MsoNoSpacing
{mso-style-priority:1;
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle20
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:264189355;
mso-list-template-ids:1353228174;}
@list l1
{mso-list-id:651984755;
mso-list-type:hybrid;
mso-list-template-ids:1150477178 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">When loading certain types of signatures received the follow error<o:p></o:p></p>
<p class="MsoNormal">Critical> - [ERRCODE: SC_ERR_AHO_CORASICK(174)] - Just ran out of space in the queue. Fatal Error. Exiting. Please file a bug report on this<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">After increasing the STATE_QUEUE_CONTAINER_SIZE to 524288 the rule file loaded but found an anomaly.
<o:p></o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoListParagraphCxSpFirst" style="margin-left:0in;mso-add-space:auto;mso-list:l1 level1 lfo3">
Why is it that ‘STATE_QUEUE_CONTAINER_SIZE’ does not always need to be increased to load a large number of rules (see below).<o:p></o:p></li><li class="MsoListParagraphCxSpLast" style="margin-left:0in;mso-add-space:auto;mso-list:l1 level1 lfo3">
What is the highest number of rules the suricata can handle, assuming no limitation to memory? Tried increasing STATE_QUEUE_CONTAINER_SIZE to 1048576 and get a segmentation fault at startup.<o:p></o:p></li></ol>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Attached are two files used to load 70k rules. <o:p></o:p></p>
<p class="MsoNoSpacing">Using - Suricata version 4.1.2 RELEASE<o:p></o:p></p>
<p class="MsoNoSpacing"><o:p> </o:p></p>
<p class="MsoNoSpacing">Test results with: STATE_QUEUE_CONTAINER_SIZE = 524288<o:p></o:p></p>
<p class="MsoNoSpacing"><o:p> </o:p></p>
<p class="MsoNoSpacing"><b><u>rule70k-1.rules<o:p></o:p></u></b></p>
<p class="MsoNoSpacing">8/4/2019 -- 15:57:10 - <Info> - 1 rule files processed. 70000 rules successfully loaded, 0 rules failed<o:p></o:p></p>
<p class="MsoNoSpacing">8/4/2019 -- 15:57:10 - <Info> - Threshold config parsed: 0 rule(s) found<o:p></o:p></p>
<p class="MsoNoSpacing">8/4/2019 -- 15:57:11 - <Info> - 70000 signatures processed. 0 are IP-only rules, 70000 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only<o:p></o:p></p>
<p class="MsoNoSpacing">8/4/2019 -- 15:57:13 - <Info> - cleaning up signature grouping structure... complete<o:p></o:p></p>
<p class="MsoNoSpacing">8/4/2019 -- 15:57:13 - <Notice> - rule reload complete<o:p></o:p></p>
<p class="MsoNoSpacing"><o:p> </o:p></p>
<p class="MsoNoSpacing"><o:p> </o:p></p>
<p class="MsoNoSpacing"><b><u>rule70k-3.rules<o:p></o:p></u></b></p>
<p class="MsoNoSpacing">8/4/2019 -- 15:47:58 - <Info> - 1 rule files processed. 70000 rules successfully loaded, 0 rules fai<o:p></o:p></p>
<p class="MsoNoSpacing">led<o:p></o:p></p>
<p class="MsoNoSpacing">8/4/2019 -- 15:47:58 - <Info> - Threshold config parsed: 0 rule(s) found<o:p></o:p></p>
<p class="MsoNoSpacing">8/4/2019 -- 15:48:02 - <Info> - 70000 signatures processed. 0 are IP-only rules, 70000 are inspectin<o:p></o:p></p>
<p class="MsoNoSpacing">g packet payload, 0 inspect application layer, 0 are decoder event only<o:p></o:p></p>
<p class="MsoNoSpacing">8/4/2019 -- 15:48:06 - <Critical> - [ERRCODE: SC_ERR_AHO_CORASICK(174)] - Just ran out of space in t<o:p></o:p></p>
<p class="MsoNoSpacing">he queue. Fatal Error. Exiting. Please file a bug report on this<o:p></o:p></p>
<p class="MsoNoSpacing"><o:p> </o:p></p>
<p class="MsoNoSpacing">Thanks,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-family:"Lucida Calligraphy"">Ena Gorham Johnson<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Lucida Calligraphy"">AT&T Labs<o:p></o:p></span></p>
<p class="MsoNormal">(470) 378-7867<o:p></o:p></p>
<p class="MsoNormal"><i><span style="font-size:9.0pt"><o:p> </o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:9.0pt">This communication may contain information that is privileged, or confidential. If you are not the intended recipient, please note FYI that any dissemination, distribution or copying of this communication
is strictly prohibited. Anyone who receives this message in error should notify the sender immediately by telephone or by return e-mail and delete it from his or her computer</span></i><i><span style="font-size:9.0pt"><o:p></o:p></span></i></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>