[Oisf-devel] Suricata rule reloading mem leak
Konstantin Klinger
Konstantin.Klinger at dcso.de
Wed Sep 19 04:21:16 UTC 2018
Hello,
We don‘t have the same problem, because we don‘t change $HOME_NET while reloading. But I can provide you with stats from a case of massive increased memory consumtion while/after reloading if it helps? (suricata dev-4.1.)
Cheers,
Konstantin
--
Konstantin Klinger
Security Content Engineer
Threat Detection & Hunting (TDH)
+49 160 95476260<tel:+49%20160%2095476260>
konstantin.klinger at dcso.de<mailto:konstantin.klinger at dcso.de>
dcso.de<http://dcso.de/>
blog.dcso.de<http://blog.dcso.de/>
PGP: 180D C5B3 3C68 5C9A FB58 6F33 400E 5A35 3307 8D46
DCSO Deutsche Cyber-Sicherheitsorganisation GmbH • EUREF-Campus
22 • 10829 Berlin, Germany
Geschäftsführer: Dr.-Ing. Gunnar Siebert, Sitz der Gesellschaft: Berlin,
Amtsgericht Charlottenburg HRB 172382
Am 18.09.2018 um 22:53 schrieb Andreas Herz <andi at geekosphere.org<mailto:andi at geekosphere.org>>:
On 17/09/18 at 17:21, Breno Silva wrote:
Maybe another important information, the HOME_NET variable is set by
"include homenet.yaml" file.
I had a similiar setup some years ago and the issue was fixed in a
former suricata version. I could create a testcase and reproduce it
quite easy, can you do the same?
You could then look into the memory consumption from reload to reload.
It would be also interesting to see how much the memory consumption
increases by each reload and if there is a bigger jump within the first
reloads.
Do you have the same behaviour if you _don't_ change the HOME_NET
settings?
On Mon, Sep 17, 2018 at 5:07 PM Breno Silva <breno.silva at gmail.com<mailto:breno.silva at gmail.com>> wrote:
I'm looking to my logs and it takes ~100 reloads to crash.
But not sure if amount of rules will change it or not.
On Mon, Sep 17, 2018 at 5:06 PM Breno Silva <breno.silva at gmail.com<mailto:breno.silva at gmail.com>> wrote:
Victor,
Suricata 4.0.4
It reports :
11/9/2018 -- 13:11:22 - <Notice> - rule reload complete
11/9/2018 -- 13:11:48 - <Notice> - rule reload starting
11/9/2018 -- 13:12:19 - <Error> - [ERRCODE: SC_ERR_MEM_ALLOC(1)] - Error
allocating memory
...
12/9/2018 -- 07:38:49 - <Notice> - rule reload complete
12/9/2018 -- 07:39:46 - <Notice> - rule reload starting
12/9/2018 -- 07:40:17 - <Error> - [ERRCODE: SC_ERR_MEM_ALLOC(1)] - Error
allocating memory
...
12/9/2018 -- 10:01:54 - <Notice> - rule reload complete
12/9/2018 -- 10:02:52 - <Notice> - rule reload starting
12/9/2018 -- 10:03:24 - <Error> - [ERRCODE: SC_ERR_MEM_ALLOC(1)] - Error
allocating memory
...
12/9/2018 -- 14:00:09 - <Notice> - rule reload complete
12/9/2018 -- 14:01:04 - <Notice> - rule reload starting
12/9/2018 -- 14:01:37 - <Error> - [ERRCODE: SC_ERR_MEM_ALLOC(1)] - Error
allocating memory
On Mon, Sep 17, 2018 at 5:01 PM Victor Julien <lists at inliniac.net<mailto:lists at inliniac.net>> wrote:
On 17-09-18 21:55, Breno Silva wrote:
I have a tool that monitor all my interfaces ipv4/ipv6 addresses and
when they change, the tool re-define HOMET_NET and send signal to
suricata for rule reloading. Looks like there is a memory leak when it
happens and suricata process memory increase until crash.
All yaml files exists and are successfully loaded.
Can you add some relevant info? What suri version, what did you try
already, how often does it reload before the crash, what kind of crash,
etc?
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
_______________________________________________
Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org<mailto:oisf-devel at openinfosecfoundation.org>
Site: http://suricata-ids.org | Participate:
http://suricata-ids.org/participate/
List:
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
Redmine: https://redmine.openinfosecfoundation.org/
_______________________________________________
Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org<mailto:oisf-devel at openinfosecfoundation.org>
Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
Redmine: https://redmine.openinfosecfoundation.org/
--
Andreas Herz
_______________________________________________
Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org<mailto:oisf-devel at openinfosecfoundation.org>
Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
Redmine: https://redmine.openinfosecfoundation.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20180919/0da75b0c/attachment-0001.html>
More information about the Oisf-devel
mailing list