[Oisf-devel] suricata memory consumption not follow down after http test stoped.

Victor Julien victor at inliniac.net
Fri Sep 16 09:41:45 UTC 2011 

We have confirmed the issue. We're tracking it here:
https://redmine.openinfosecfoundation.org/issues/329

Cheers,
Victor

On 09/14/2011 11:12 AM, Victor Julien wrote:
> Can you run suricata in valgrind? It will slow it down a lot but it may
> help determine memleaks.
> 
> valgrind -v --leak-check=full --show-reachable=yes <your suricata
> commandline>
> 
> There are several minor leaks reported, but non of them should be large
> and none of them should have it's origin in the "packet runtime".
> 
> You can also add --log-file=log to valgrind and attach the full log.
> 
> Cheers,
> Victor
> 
> On 09/14/2011 11:04 AM, Delta Yeh wrote:
>> The flow settings I use  is
>>
>> max-pending-packets: 400
>> flow-timeouts:
>>   default:
>>     new: 10
>>     established:  20
>>     closed: 10
>>     emergency_new: 10
>>     emergency_established: 10
>>     emergency_closed: 0
>>   tcp:
>>     new: 10
>>     established:  20
>>     closed: 10
>>     emergency_new: 10
>>     emergency_established: 10
>>     emergency_closed: 20
>>
>>
>> I use command "./suricata -c /etc/suricata/suricata.yaml -i eth0 " to
>> start suricata
>>
>> Test suricata with "ab  -c 10 -n 600000 http://192.168.1.123/", it
>> consume less memory than before. But  after test finished, the memory
>> won't decrease(I wait 10 minutes).
>>
>> When 2 rounds test finished , the memory is:
>>
>>   PID  PPID USER     STAT   VSZ %VSZ CPU %CPU COMMAND
>> 28864  4335 root     S     893m  44%   1   4% ./suricata -c
>> /etc/suricata/suricata.yaml -i eth0
>>
>> 10 minutes later, the momory does NOT decrease.
>>
>> During the test, I see  some:
>>
>> [28867] 14/9/2011 -- 16:19:47 - (app-layer-parser.c:955) <Error>
>> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in
>> parsing "http" app layer protocol, using network protocol 6, source IP
>> address 192.168.1.2, destination IP address 192.168.1.123, src port
>> 57806 and dst port 80
>>
>>
>>
>> I then use "  ab  -c 20 -n 600000 http://192.168.1.123/".
>> After the test finished, the memory is :
>>
>>   PID  PPID USER     STAT   VSZ %VSZ CPU %CPU COMMAND
>> 28864  4335 root     S    1187m  59%   1   4% ./suricata -c
>> /etc/suricata/suricata.yaml -i eth0
>>
>> I wait 10 minutes again, the momory does NOT decrease.
>>
>> This  can be reproduced in my box.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> 2011/9/14 Victor Julien <victor at inliniac.net>:
>>> Could you try lowering the flow timeout settings?
>>>
>>> flow-timeouts:
>>>
>>>  tcp:
>>>    new: 60
>>>    established: 3600
>>>    closed: 120
>>>    emergency_new: 10
>>>    emergency_established: 300
>>>    emergency_closed: 20
>>>
>>> @Peter, can you try to reproduce this?
>>>
>>> Cheers,
>>> Victor
>>>
>>>
>>
> 
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list