[Oisf-devel] Inspect a memory leak issue for all suricata version.
Peter Manev
petermanev at gmail.com
Thu Jul 24 18:39:53 UTC 2014
On Thu, Jun 5, 2014 at 2:20 PM, greatwall <13811880491 at 126.com> wrote:
> Hi all:
>
> I run suricata in Debian(5.0.0) platform. I met an issue that the memory
> usage of suricta process is increased from 300MB to 2GB, I had tested the
> suricata of 1.4.5 /1.4.6/2.0/2.0.1, there is saome issue in these version.
> my configuration is as following:
> ==========================================
> %YAML 1.1
> ---
>
> max-pending-packets: 65000
> host-mode: auto
> pid-file: /var/run/suritaca.pid
> action-order:
> - pass
> - reject
> - drop
> - alert
> default-log-dir: /var/log/suritaca/
> outputs:
> - fast:
> enabled: no
> filename: fast.log
> append: no
> - http-log:
> enabled: yes
> filename: http.log
> append: yes
> - stats:
> enabled: no
> filename: stats.log
> interval: 8
> nfq:
> mode: accept
> detect-engine:
> - profile: medium
> - custom-values:
> toclient-src-groups: 200
> toclient-dst-groups: 200
> toclient-sp-groups: 200
> toclient-dp-groups: 300
> toserver-src-groups: 200
> toserver-dst-groups: 400
> toserver-sp-groups: 200
> toserver-dp-groups: 250
> - sgh-mpm-context: auto
> - inspection-recursion-limit: 3000
> threading:
> set-cpu-affinity: yes
> cpu-affinity:
> - management-cpu-set:
> cpu: [ 0, 1 ]
> - receive-cpu-set:
> cpu: [ 2, 3 ]
> - decode-cpu-set:
> cpu: [ 4 ]
> mode: "balanced"
> - stream-cpu-set:
> cpu: [ 5 ]
> - detect-cpu-set:
> cpu: [ 6, 7 ]
> mode: "exclusive"
> prio:
> low: [ "all" ]
> medium: [ 6-7 ]
> high: [ "all" ]
> default: "medium"
> - verdict-cpu-set:
> cpu: [ 5 ]
> prio:
> default: "high"
> - reject-cpu-set:
> cpu: [ 5 ]
> prio:
> default: "low"
> - output-cpu-set:
> cpu: [ 5 ]
> prio:
> default: "medium"
>
> detect-thread-ratio: 1.5
>
> cuda:
> - mpm:
> packet-buffer-limit: 2400
> packet-size-limit: 1500
> packet-buffers: 10
> batching-timeout: 1
> page-locked: enabled
> device-id: 0
> cuda-streams: 2
> mpm-algo: ac
> pattern-matcher:
> - b2gc:
> search-algo: B2gSearchBNDMq
> hash-size: low
> bf-size: medium
> - b2gm:
> search-algo: B2gSearchBNDMq
> hash-size: low
> bf-size: medium
> - b2g:
> search-algo: B2gSearchBNDMq
> hash-size: low
> bf-size: medium
> - b3g:
> search-algo: B3gSearchBNDMq
> hash-size: low
> bf-size: medium
> - wumanber:
> hash-size: low
> bf-size: medium
>
>
> defrag:
> memcap: 32mb
> hash-size: 65536
> trackers: 65535 # number of defragmented flows to follow
> max-frags: 65535 # number of fragments to keep (higher than trackers)
> prealloc: yes
> timeout: 60
>
> flow:
> memcap: 512mb
> hash-size: 102400
> prealloc: 400000
> emergency-recovery: 30
> prune-flows: 5
>
> vlan:
> use-for-tracking: true
>
> flow-timeouts:
> default:
> new: 30
> established: 300
> closed: 0
> emergency-new: 10
> emergency-established: 100
> emergency-closed: 0
> tcp:
> new: 60
> established: 600
> closed: 120
> emergency-new: 10
> emergency-established: 300
> emergency-closed: 20
> udp:
> new: 30
> established: 300
> emergency-new: 10
> emergency-established: 100
> icmp:
> new: 30
> established: 300
> emergency-new: 10
> emergency-established: 100
> stream:
> memcap: 1024mb
> checksum-validation: yes
> inline: auto
> prealloc-sessions: 32768
> midstream: false
> max-synack-queued: 16
>
> reassembly:
> memcap: 64mb
> depth: 1mb
> toserver-chunk-size: 2560
> toclient-chunksize: 2560
> randomize-chunk-size: yes
>
> host:
> hash-size: 4096
> prealloc: 1000
> memcap: 16777216
>
> logging:
> default-log-level: info
> default-output-filter:
> outputs:
> - console:
> enabled: no
> - file:
> enabled: no
> filename: /var/log/suritaca/log
> # - syslog:
> # enabled: no
> # facility: local5
> # format: "[%i] <%d> -- "
>
> pfring:
> - interface: eth1
> threads: 1
> cluster-id: 99
> cluster-type: cluster-round-robin
> ipfw:
> default-rule-path: /var/log/suritaca/rules/
> rule-files:
> - ips.rules
> classification-file: /var/log/suritaca/rules/classification.config
> reference-config-file: /var/log/suritaca/rules/reference.config
> threshold-file: /var/log/suritaca/rules/threshold.config
>
> vars:
> address-groups:
> HOME_NET:
> "[192.168.62.245,192.168.62.246,192.168.62.247,192.168.62.248,192.168.62.249,192.168.62.250,192.168.62.251,192.168.62.252,192.168.62.253,192.168.62.254]"
> EXTERNAL_NET: "any"
> HTTP_SERVERS: "$HOME_NET"
> #SMTP_SERVERS: "$HOME_NET"
> #SQL_SERVERS: "$HOME_NET"
> #DNS_SERVERS: "$HOME_NET"
> #TELNET_SERVERS: "$HOME_NET"
> #AIM_SERVERS: "$EXTERNAL_NET"
> #DNP3_SERVER: "$HOME_NET"
> #DNP3_CLIENT: "$HOME_NET"
> #MODBUS_CLIENT: "$HOME_NET"
> #MODBUS_SERVER: "$HOME_NET"
> #ENIP_CLIENT: "$HOME_NET"
> #ENIP_SERVER: "$HOME_NET"
> port-groups:
> HTTP_PORTS: "[80]"
> SHELLCODE_PORTS: "!80"
> #ORACLE_PORTS: 1521
> host-os-policy:
> windows: [0.0.0.0/0]
> bsd: []
> bsd-right: []
> old-linux: []
> linux: []
> old-solaris: []
> solaris: []
> hpux10: []
> hpux11: []
> irix: []
> macos: []
> vista: []
> windows2k3: []
> asn1-max-frames: 256
>
> pcre:
> match-limit: 3500
> match-limit-recursion: 1500
>
> app-layer:
> protocols:
> tls:
> enabled: no
> detection-ports:
> toserver: 443
>
> #no-reassemble: yes
> dcerpc:
> enabled: no
> ftp:
> enabled: no
> ssh:
> enabled: no
> smtp:
> enabled: no
> imap:
> enabled: detection-only
> msn:
> enabled: no
> smb:
> enabled: no
> detection-ports:
> toserver: 139
> dns:
> tcp:
> enabled: no
> udp:
> enabled: no
> http:
> enabled: yes
> memcap: 128mb
> #libhtp:
> # default-config:
> # personality: IDS
> # request-body-limit: 0
> # response-body-limit: 0
> # request-body-minimal-inspect-size: 32kb
> # request-body-inspect-window: 4kb
> # response-body-minimal-inspect-size: 32kb
> # response-body-inspect-window: 4kb
> # double-decode-path: no
> # double-decode-query: no
> profiling:
> rules:
> enabled: no
> filename: rule_perf.log
> append: no
> sort: avgticks
> packets:
> enabled: no
> filename: packet_stats.log
> append: no
> csv:
> enabled: no
> filename: packet_stats.csv
> coredump:
> max-dump: unlimited
> ==========================================
>
> Could you please help give me a hand?
> Thanks
>
> George
>
>
> 来自网易手机号码邮箱了解更多
>
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate:
> http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
How much traffic are you inspecting?
--
Regards,
Peter Manev
More information about the Oisf-devel
mailing list