[Oisf-users] Suricata 1.3.4 problem

Anoop Saldanha anoopsaldanha at gmail.com
Thu Dec 6 16:04:21 UTC 2012


On Thu, Dec 6, 2012 at 9:30 PM, Victor Julien <lists at inliniac.net> wrote:
> On 12/06/2012 03:29 PM, Martin Holste wrote:
>> Ok, then I'd be interested to know if upping the memcap from 1098M shows
>> the same behavior: max CPU due to hitting the memcap.
>>
>> Maybe best to first try the new code Victor mentioned, though.
>
> I just pushed out 1.3.5, please try that if you want to stay on the 1.3
> branch. However, if 1.4rc1 works well you might as well stay on that.
>
> Cheers,
> Victor
>
>>
>>
>> On Thu, Dec 6, 2012 at 7:09 AM, Paul Halliday <paul.halliday at gmail.com
>> <mailto:paul.halliday at gmail.com>> wrote:
>>
>>     Hi Martin,
>>
>>     With those values changed the same thing happened.
>>
>>     The only thing that was a little different was CPU utilization was far
>>     more varied. The time window from start to spike (200% utilization)
>>     was almost identical though.
>>
>>     On Wed, Dec 5, 2012 at 9:05 PM, Martin Holste <mcholste at gmail.com
>>     <mailto:mcholste at gmail.com>> wrote:
>>     > Probably the flow timeouts as discussed earlier this week on the
>>     list.  Try
>>     > out my aggressive flow timeout example and see if that fixes it.
>>     >
>>     >
>>     > On Wed, Dec 5, 2012 at 5:53 PM, Paul Halliday
>>     <paul.halliday at gmail.com <mailto:paul.halliday at gmail.com>>
>>     > wrote:
>>     >>
>>     >> Hi,
>>     >>
>>     >> Not quite sure whats happening but Suricata stops generating alerts
>>     >> after about 30 minutes of operation. Bandwidth during this test never
>>     >> peaked above 50. Running on FreeBSD 9.1
>>     >>
>>     >>
>>     >> MEM and CPU for the process (~30 second interval):
>>     >>
>>     >> 1354748069,804M,26.37%
>>     >> 1354748099,807M,25.15%
>>     >> 1354748129,812M,31.10%
>>     >> 1354748159,818M,26.76%
>>     >> ...
>>     >> 1354749629,1061M,27.25%
>>     >> 1354749659,1065M,24.27%
>>     >> 1354749689,1069M,26.12%
>>     >> 1354749719,1089M,26.12%
>>     >> 1354749749,1090M,36.38%
>>     >> 1354749779,1092M,108.30%
>>     >> 1354749809,1095M,108.11%
>>     >> 1354749839,1098M,108.06%
>>     >> 1354749869,1098M,196.78%
>>     >> 1354749899,1098M,200.00%
>>     >> 1354749929,1098M,200.00%
>>     >> 1354749959,1098M,200.00%
>>     >> 1354749989,1098M,200.00%
>>     >>
>>     >> In around the spike from 36 to 108 utilization Suricata throws this:
>>     >>
>>     >> 5/12/2012 -- 19:21:50 - <Info> - Flow emergency mode over, back to
>>     >> normal... unsetting FLOW_EMERGENCY bit (ts.tv_sec: 1354749710,
>>     >> ts.tv_usec:449629) flow_spare_q status(): 38% flows at the queue
>>     >>
>>     >> A knob I need to turn somewhere?
>>     >>
>>     >> Thanks!
>>     >>
>>     >> --
>>     >> Paul Halliday
>>     >> http://www.pintumbler.org/
>>     >> _______________________________________________
>>     >> Suricata IDS Users mailing list:
>>     oisf-users at openinfosecfoundation.org
>>     <mailto:oisf-users at openinfosecfoundation.org>
>>     >> Site: http://suricata-ids.org | Support:
>>     http://suricata-ids.org/support/
>>     >> List:
>>     https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>     >> OISF: http://www.openinfosecfoundation.org/
>>     >
>>     >
>>
>>
>>
>>     --
>>     Paul Halliday
>>     http://www.pintumbler.org/
>>
>>
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>>
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

Looks like the flow dereference cleanup leak which is now fixed in 1.3.5.

-- 
Anoop Saldanha



More information about the Oisf-users mailing list