[Oisf-devel] Mem leaks
Victor Julien
victor at inliniac.net
Fri Oct 14 16:08:21 UTC 2011
On 10/14/2011 04:55 PM, Chris Wakelin wrote:
> On 14/10/11 14:25, Martin Holste wrote:
>>> Coming to the memory usage, ac changes might be the reason behind the
>>> mem increase(not a leak). I have changed all u16 buffers to u32 and
>>> so on. The usage increase might look bigger when ac-full is used,
>>> although with ac-single it should be pretty okay. Btw you should see
>>> much better perf(around 15%-20%). How big's your ruleset btw?
>
> Ours is about 4k rules. Memory use seems pretty stable at 9-10GB. I'm no
> longer getting crashes when killing suricata. The only problem is that
> occasionally one or more of the threads stops processing packets.
Stops completely? Or for short periods?
>> I've now been seeing a very strange phenomenon in which low traffic
>> periods actually lead to missed heartbeats. Very bizarre! The sensor
>> performs well during peak load (around 700 Mb/sec), but when the load
>> drops at night to more like 250 Mb/sec, it starts missing a lot of
>> alerts. I've never seen anything like it, but it's been going on for
>> a few nights now. This is with commit 58d7cb.
>
> We don't have a heartbeat sig, but I'm seeing some missed alerts, I think.
>
> Very strangely, I don't seem to be getting hits for the octal Java
> exploit - I tried older versions of Suricata and the ruleset without
> getting hits either, so possibly I'm doing something stupid. The alerts
> seem to have dried up since 2nd October.
> I'd expect hits from the Blackhole and Saturn Kits' at least, e.g.
>
>> 10/13/2011-21:47:55.029918 520329619 [**] /Main.class [**] Mozilla/4.0 (Windows 7 6.1) Java/1.6.0_22 [**] <no referer> [**] GET [**] HTTP/1.1 [**] [**] 0 bytes [**] xxx.xxx.xxx.xxx:xxxxx -> 31.3.153.147:80
>
> (actually me downloading the latest Blackhole Main.class manually) in
> http.log should match something in fast.log, but didn't.
Can you share a pcap for this one?
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list