[Oisf-devel] Suricata rule reloading mem leak
Peter Manev
petermanev at gmail.com
Wed Sep 19 04:35:51 UTC 2018
> On 19 Sep 2018, at 06:21, Konstantin Klinger <Konstantin.Klinger at dcso.de> wrote:
>
> Hello,
>
> We don‘t have the same problem, because we don‘t change $HOME_NET while reloading. But I can provide you with stats from a case of massive increased memory consumtion while/after reloading if it helps? (suricata dev-4.1.)
>
Please do - do you still have the same problem?
> Cheers,
>
> Konstantin
>
> --
> Konstantin Klinger
> Security Content Engineer
> Threat Detection & Hunting (TDH)
>
> +49 160 95476260
> konstantin.klinger at dcso.de
>
> dcso.de
> blog.dcso.de
>
> PGP: 180D C5B3 3C68 5C9A FB58 6F33 400E 5A35 3307 8D46
>
> DCSO Deutsche Cyber-Sicherheitsorganisation GmbH • EUREF-Campus
> 22 • 10829 Berlin, Germany
> Geschäftsführer: Dr.-Ing. Gunnar Siebert, Sitz der Gesellschaft: Berlin,
> Amtsgericht Charlottenburg HRB 172382
>
> Am 18.09.2018 um 22:53 schrieb Andreas Herz <andi at geekosphere.org>:
>
>>> On 17/09/18 at 17:21, Breno Silva wrote:
>>> Maybe another important information, the HOME_NET variable is set by
>>> "include homenet.yaml" file.
>>
>> I had a similiar setup some years ago and the issue was fixed in a
>> former suricata version. I could create a testcase and reproduce it
>> quite easy, can you do the same?
>>
>> You could then look into the memory consumption from reload to reload.
>> It would be also interesting to see how much the memory consumption
>> increases by each reload and if there is a bigger jump within the first
>> reloads.
>>
>> Do you have the same behaviour if you _don't_ change the HOME_NET
>> settings?
>>
>>>> On Mon, Sep 17, 2018 at 5:07 PM Breno Silva <breno.silva at gmail.com> wrote:
>>>
>>>> I'm looking to my logs and it takes ~100 reloads to crash.
>>>> But not sure if amount of rules will change it or not.
>>>>
>>>> On Mon, Sep 17, 2018 at 5:06 PM Breno Silva <breno.silva at gmail.com> wrote:
>>>>
>>>>> Victor,
>>>>>
>>>>> Suricata 4.0.4
>>>>> It reports :
>>>>> 11/9/2018 -- 13:11:22 - <Notice> - rule reload complete
>>>>> 11/9/2018 -- 13:11:48 - <Notice> - rule reload starting
>>>>> 11/9/2018 -- 13:12:19 - <Error> - [ERRCODE: SC_ERR_MEM_ALLOC(1)] - Error
>>>>> allocating memory
>>>>> ...
>>>>>
>>>>> 12/9/2018 -- 07:38:49 - <Notice> - rule reload complete
>>>>> 12/9/2018 -- 07:39:46 - <Notice> - rule reload starting
>>>>> 12/9/2018 -- 07:40:17 - <Error> - [ERRCODE: SC_ERR_MEM_ALLOC(1)] - Error
>>>>> allocating memory
>>>>> ...
>>>>>
>>>>> 12/9/2018 -- 10:01:54 - <Notice> - rule reload complete
>>>>> 12/9/2018 -- 10:02:52 - <Notice> - rule reload starting
>>>>> 12/9/2018 -- 10:03:24 - <Error> - [ERRCODE: SC_ERR_MEM_ALLOC(1)] - Error
>>>>> allocating memory
>>>>> ...
>>>>>
>>>>> 12/9/2018 -- 14:00:09 - <Notice> - rule reload complete
>>>>> 12/9/2018 -- 14:01:04 - <Notice> - rule reload starting
>>>>> 12/9/2018 -- 14:01:37 - <Error> - [ERRCODE: SC_ERR_MEM_ALLOC(1)] - Error
>>>>> allocating memory
>>>>>
>>>>> On Mon, Sep 17, 2018 at 5:01 PM Victor Julien <lists at inliniac.net> wrote:
>>>>>
>>>>>> On 17-09-18 21:55, Breno Silva wrote:
>>>>>>> I have a tool that monitor all my interfaces ipv4/ipv6 addresses and
>>>>>>> when they change, the tool re-define HOMET_NET and send signal to
>>>>>>> suricata for rule reloading. Looks like there is a memory leak when it
>>>>>>> happens and suricata process memory increase until crash.
>>>>>>>
>>>>>>> All yaml files exists and are successfully loaded.
>>>>>>
>>>>>> Can you add some relevant info? What suri version, what did you try
>>>>>> already, how often does it reload before the crash, what kind of crash,
>>>>>> etc?
>>>>>>
>>>>>> --
>>>>>> ---------------------------------------------
>>>>>> Victor Julien
>>>>>> http://www.inliniac.net/
>>>>>> PGP: http://www.inliniac.net/victorjulien.asc
>>>>>> ---------------------------------------------
>>>>>>
>>>>>> _______________________________________________
>>>>>> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
>>>>>> Site: http://suricata-ids.org | Participate:
>>>>>> http://suricata-ids.org/participate/
>>>>>> List:
>>>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>>>>> Redmine: https://redmine.openinfosecfoundation.org/
>>>>>>
>>>>>>
>>
>>> _______________________________________________
>>> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>> Redmine: https://redmine.openinfosecfoundation.org/
>>>
>>
>>
>> --
>> Andreas Herz
>> _______________________________________________
>> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>> Redmine: https://redmine.openinfosecfoundation.org/
>>
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20180919/fe961a03/attachment.html>
More information about the Oisf-devel
mailing list