[Oisf-devel] Suricata rule reloading mem leak

Andreas Herz andi at geekosphere.org
Tue Sep 18 20:53:33 UTC 2018 

On 17/09/18 at 17:21, Breno Silva wrote:
> Maybe another important information, the HOME_NET variable is set by
> "include homenet.yaml" file.

I had a similiar setup some years ago and the issue was fixed in a
former suricata version. I could create a testcase and reproduce it
quite easy, can you do the same?

You could then look into the memory consumption from reload to reload.
It would be also interesting to see how much the memory consumption
increases by each reload and if there is a bigger jump within the first
reloads.

Do you have the same behaviour if you _don't_ change the HOME_NET
settings?

> On Mon, Sep 17, 2018 at 5:07 PM Breno Silva <breno.silva at gmail.com> wrote:
> 
> > I'm looking to my logs and it takes ~100 reloads to crash.
> > But not sure if amount of rules will change it or not.
> >
> > On Mon, Sep 17, 2018 at 5:06 PM Breno Silva <breno.silva at gmail.com> wrote:
> >
> >> Victor,
> >>
> >> Suricata 4.0.4
> >> It reports :
> >> 11/9/2018 -- 13:11:22 - <Notice> - rule reload complete
> >> 11/9/2018 -- 13:11:48 - <Notice> - rule reload starting
> >> 11/9/2018 -- 13:12:19 - <Error> - [ERRCODE: SC_ERR_MEM_ALLOC(1)] - Error
> >> allocating memory
> >> ...
> >>
> >> 12/9/2018 -- 07:38:49 - <Notice> - rule reload complete
> >> 12/9/2018 -- 07:39:46 - <Notice> - rule reload starting
> >> 12/9/2018 -- 07:40:17 - <Error> - [ERRCODE: SC_ERR_MEM_ALLOC(1)] - Error
> >> allocating memory
> >> ...
> >>
> >> 12/9/2018 -- 10:01:54 - <Notice> - rule reload complete
> >> 12/9/2018 -- 10:02:52 - <Notice> - rule reload starting
> >> 12/9/2018 -- 10:03:24 - <Error> - [ERRCODE: SC_ERR_MEM_ALLOC(1)] - Error
> >> allocating memory
> >> ...
> >>
> >> 12/9/2018 -- 14:00:09 - <Notice> - rule reload complete
> >> 12/9/2018 -- 14:01:04 - <Notice> - rule reload starting
> >> 12/9/2018 -- 14:01:37 - <Error> - [ERRCODE: SC_ERR_MEM_ALLOC(1)] - Error
> >> allocating memory
> >>
> >> On Mon, Sep 17, 2018 at 5:01 PM Victor Julien <lists at inliniac.net> wrote:
> >>
> >>> On 17-09-18 21:55, Breno Silva wrote:
> >>> > I have a tool that monitor all my interfaces ipv4/ipv6 addresses and
> >>> > when they change, the tool re-define HOMET_NET and send signal to
> >>> > suricata for rule reloading. Looks like there is a memory leak when it
> >>> > happens and suricata process memory increase until crash.
> >>> >
> >>> > All yaml files exists and are successfully loaded.
> >>>
> >>> Can you add some relevant info? What suri version, what did you try
> >>> already, how often does it reload before the crash, what kind of crash,
> >>> etc?
> >>>
> >>> --
> >>> ---------------------------------------------
> >>> Victor Julien
> >>> http://www.inliniac.net/
> >>> PGP: http://www.inliniac.net/victorjulien.asc
> >>> ---------------------------------------------
> >>>
> >>> _______________________________________________
> >>> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> >>> Site: http://suricata-ids.org | Participate:
> >>> http://suricata-ids.org/participate/
> >>> List:
> >>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> >>> Redmine: https://redmine.openinfosecfoundation.org/
> >>>
> >>>

> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
> 


-- 
Andreas Herz

More information about the Oisf-devel mailing list