[Oisf-devel] Mem leaks
Chris Wakelin
c.d.wakelin at reading.ac.uk
Fri Oct 14 14:55:16 UTC 2011
On 14/10/11 14:25, Martin Holste wrote:
>> Coming to the memory usage, ac changes might be the reason behind the
>> mem increase(not a leak). I have changed all u16 buffers to u32 and
>> so on. The usage increase might look bigger when ac-full is used,
>> although with ac-single it should be pretty okay. Btw you should see
>> much better perf(around 15%-20%). How big's your ruleset btw?
Ours is about 4k rules. Memory use seems pretty stable at 9-10GB. I'm no
longer getting crashes when killing suricata. The only problem is that
occasionally one or more of the threads stops processing packets.
> I've now been seeing a very strange phenomenon in which low traffic
> periods actually lead to missed heartbeats. Very bizarre! The sensor
> performs well during peak load (around 700 Mb/sec), but when the load
> drops at night to more like 250 Mb/sec, it starts missing a lot of
> alerts. I've never seen anything like it, but it's been going on for
> a few nights now. This is with commit 58d7cb.
We don't have a heartbeat sig, but I'm seeing some missed alerts, I think.
Very strangely, I don't seem to be getting hits for the octal Java
exploit - I tried older versions of Suricata and the ruleset without
getting hits either, so possibly I'm doing something stupid. The alerts
seem to have dried up since 2nd October.
I'd expect hits from the Blackhole and Saturn Kits' at least, e.g.
> 10/13/2011-21:47:55.029918 520329619 [**] /Main.class [**] Mozilla/4.0 (Windows 7 6.1) Java/1.6.0_22 [**] <no referer> [**] GET [**] HTTP/1.1 [**] [**] 0 bytes [**] xxx.xxx.xxx.xxx:xxxxx -> 31.3.153.147:80
(actually me downloading the latest Blackhole Main.class manually) in
http.log should match something in fast.log, but didn't.
Best Wishes,
Chris
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
More information about the Oisf-devel
mailing list