[Oisf-devel] Suricata rule reloading mem leak

Breno Silva breno.silva at gmail.com
Mon Sep 17 20:21:28 UTC 2018


Maybe another important information, the HOME_NET variable is set by
"include homenet.yaml" file.

On Mon, Sep 17, 2018 at 5:07 PM Breno Silva <breno.silva at gmail.com> wrote:

> I'm looking to my logs and it takes ~100 reloads to crash.
> But not sure if amount of rules will change it or not.
>
> On Mon, Sep 17, 2018 at 5:06 PM Breno Silva <breno.silva at gmail.com> wrote:
>
>> Victor,
>>
>> Suricata 4.0.4
>> It reports :
>> 11/9/2018 -- 13:11:22 - <Notice> - rule reload complete
>> 11/9/2018 -- 13:11:48 - <Notice> - rule reload starting
>> 11/9/2018 -- 13:12:19 - <Error> - [ERRCODE: SC_ERR_MEM_ALLOC(1)] - Error
>> allocating memory
>> ...
>>
>> 12/9/2018 -- 07:38:49 - <Notice> - rule reload complete
>> 12/9/2018 -- 07:39:46 - <Notice> - rule reload starting
>> 12/9/2018 -- 07:40:17 - <Error> - [ERRCODE: SC_ERR_MEM_ALLOC(1)] - Error
>> allocating memory
>> ...
>>
>> 12/9/2018 -- 10:01:54 - <Notice> - rule reload complete
>> 12/9/2018 -- 10:02:52 - <Notice> - rule reload starting
>> 12/9/2018 -- 10:03:24 - <Error> - [ERRCODE: SC_ERR_MEM_ALLOC(1)] - Error
>> allocating memory
>> ...
>>
>> 12/9/2018 -- 14:00:09 - <Notice> - rule reload complete
>> 12/9/2018 -- 14:01:04 - <Notice> - rule reload starting
>> 12/9/2018 -- 14:01:37 - <Error> - [ERRCODE: SC_ERR_MEM_ALLOC(1)] - Error
>> allocating memory
>>
>> On Mon, Sep 17, 2018 at 5:01 PM Victor Julien <lists at inliniac.net> wrote:
>>
>>> On 17-09-18 21:55, Breno Silva wrote:
>>> > I have a tool that monitor all my interfaces ipv4/ipv6 addresses and
>>> > when they change, the tool re-define HOMET_NET and send signal to
>>> > suricata for rule reloading. Looks like there is a memory leak when it
>>> > happens and suricata process memory increase until crash.
>>> >
>>> > All yaml files exists and are successfully loaded.
>>>
>>> Can you add some relevant info? What suri version, what did you try
>>> already, how often does it reload before the crash, what kind of crash,
>>> etc?
>>>
>>> --
>>> ---------------------------------------------
>>> Victor Julien
>>> http://www.inliniac.net/
>>> PGP: http://www.inliniac.net/victorjulien.asc
>>> ---------------------------------------------
>>>
>>> _______________________________________________
>>> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Participate:
>>> http://suricata-ids.org/participate/
>>> List:
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>> Redmine: https://redmine.openinfosecfoundation.org/
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20180917/d6459ae5/attachment.html>


More information about the Oisf-devel mailing list