[Oisf-devel] suricata memory consumption not follow down after http test stoped.

Victor Julien victor at inliniac.net
Wed Sep 14 07:50:49 UTC 2011 

Could you try lowering the flow timeout settings?

flow-timeouts:

  tcp:
    new: 60
    established: 3600
    closed: 120
    emergency_new: 10
    emergency_established: 300
    emergency_closed: 20

@Peter, can you try to reproduce this?

Cheers,
Victor


On 09/14/2011 03:45 AM, Delta Yeh wrote:
> I wait 5 minutes before I start the second test, the memory did not descrease.
> After the second test finished, it increase to 80%, I wait about 5
> minutes again,
> still did not decrease, then I start the third.
> During the third test, It increase to 92% , and I have to stop the
> test by quit suricata.
> 
> And there is NO rules loaded at all, I use the defualt suricata.yaml
> which comments out
> all rules .
> 
> 2011/9/13 Peter Manev <petermanev at gmail.com>:
> - 隐藏引用文字 -
>>
>>
>> On Tue, Sep 13, 2011 at 2:39 PM, Delta Yeh <delta.yeh at gmail.com> wrote:
>>>
>>> Hi,
>>>  I update suricata source to git HEAD.
>>>  I  build suricata in a Debian lenny virtual machine( 1GRAM , two
>>> core 2.1G CPU) with
>>>    1. autogen.sh
>>>     2. ./configure
>>>     3. make && make install
>>>
>>>  The suricata.yaml is the default .
>>> I use ./suricata -c /etc/suricata/suricata.yaml -i eth0  to start
>>> suricata.
>>>
>>> I run apache ab( ab -c 1 -n 60000   http://192.168.1.123/) to test
>>> suricata(a simple nginx welcome page).
>>> During the test, I can see the memory suricata consumed grown up.
>>> When 60000 request finished, in the top output,the suricata process
>>> mem is 45.2%.
>>> 5 minutes later, the mem is STILL 45.2%, only CPU change from 45% to 4%.
>>>
>>> I then start another 60000 http request test with ab, the memory
>>> suricata consumed INCREASED!!
>>>
>>> It this a memory leakage?
>>>
>>>
>>> ----------------------------------------------------------
>>>
>>> debian:~/suricata/oisf# uname -a
>>> Linux debian 2.6.26-2-686 #1 SMP Wed May 12 21:56:10 UTC 2010 i686
>>> GNU/Linux
>>> debian:~/suricata/oisf# src/.libs/suricata  --build-info
>>> [26298] 13/9/2011 -- 20:38:10 - (suricata.c:633) <Info> (main) -- This
>>> is Suricata version 1.1beta2 (rev e131814)
>>> [26298] 13/9/2011 -- 20:38:10 - (suricata.c:516) <Info>
>>> (SCPrintBuildInfo) -- Features: LIBPCAP_VERSION_MAJOR=0 LIBCAP_NG
>>> LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK
>>> [26298] 13/9/2011 -- 20:38:10 - (suricata.c:530) <Info>
>>> (SCPrintBuildInfo) -- 32-bits, Little-endian architecture
>>> [26298] 13/9/2011 -- 20:38:10 - (suricata.c:532) <Info>
>>> (SCPrintBuildInfo) -- GCC version 4.3.2, C version 199901
>>> [26298] 13/9/2011 -- 20:38:10 - (suricata.c:538) <Info>
>>> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
>>> [26298] 13/9/2011 -- 20:38:10 - (suricata.c:541) <Info>
>>> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
>>> [26298] 13/9/2011 -- 20:38:10 - (suricata.c:544) <Info>
>>> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
>>> [26298] 13/9/2011 -- 20:38:10 - (suricata.c:547) <Info>
>>> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
>>>
>>> top output:
>>> PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
>>> 26081 root      20   0 1129m 540m 1860 S 47.2 53.2   5:27.69 suricata
>>> 26284 root      20   0 12832 3208 2164 R  8.6  0.3   0:13.54 ab
>>>
>>> BR,
>>>  DeltaY
>>> _______________________________________________
>>> Oisf-devel mailing list
>>> Oisf-devel at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
>>
>> Hi Delta,
>> After the second stress test - did the memory consumption from Suricata
>> stayed at the same level or decreased again after some time (like 5 min
>> after the 2nd test was over)?
>>
>> Thanks
>>
>>
>> --
>> Peter Manev
>>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list