[Oisf-users] What limit to remove?
Victor Julien
lists at inliniac.net
Wed Dec 18 08:44:27 UTC 2013
On 12/18/2013 07:03 AM, Mark Ashley wrote:
> To answer my own question, since it's a 32bit compiled binary, the limit
> for the process address map is 4GB.
>
> I'll have to prune the resource usage, or re-compile the binary and
> libraries 64bit.
I would go the 64bit route. 4GB is not nearly going to be enough on a
large pipe.
Cheers,
Victor
>
> On Wed, Dec 18, 2013 at 4:33 PM, Mark Ashley <mark at ibiblio.org
> <mailto:mark at ibiblio.org>> wrote:
>
> Solaris 11 x86
> X4600 128GB RAM, 16 x AMD8220s
> Suricata master-2013-12-02
>
> I'm seeing memory "exhaustion" issues with starting suricata with
> pretty much all of the rules switched on, including the emerging
> ones. The process gets up to about 3.85GB RSS and then crashes with
> the errors below.
>
> I'm looking at the suricata.yaml file and trying to find out where I
> can increase limits to allow the rules to be there, and suricata to
> cache them. There's no issue with available RAM or a ulimit setting.
> It can have it all.
>
> ta,
> Mark.
>
>
> [1] 18/12/2013 -- 15:01:53 - (suricata.c:1877) <Info>
> (PostConfLoadedSetup) -- No 'host-mode': suricata is in IDS mode,
> using default setting 'sniffer-only'
> [1] 18/12/2013 -- 15:01:53 - (defrag-hash.c:209) <Info>
> (DefragInitConfig) -- allocated 1280000 bytes of memory for the
> defrag hash... 40000 buckets of size 32
> [1] 18/12/2013 -- 15:01:53 - (defrag-hash.c:236) <Info>
> (DefragInitConfig) -- preallocated 50000 defrag trackers of size 136
> [1] 18/12/2013 -- 15:01:53 - (defrag-hash.c:243) <Info>
> (DefragInitConfig) -- defrag memory usage: 8080000 bytes, maximum:
> 4294967296
> [1] 18/12/2013 -- 15:01:53 - (tmqh-flow.c:61) <Info>
> (TmqhFlowRegister) -- AutoFP mode using "Round Robin" flow load balancer
> [1] 18/12/2013 -- 15:01:53 - (suricata.c:1910) <Info>
> (PostConfLoadedSetup) -- Will use direct allocation instead of
> packet pool
> [1] 18/12/2013 -- 15:01:53 - (host.c:202) <Info> (HostInitConfig) --
> allocated 131072 bytes of memory for the host hash... 4096 buckets
> of size 32
> [1] 18/12/2013 -- 15:01:53 - (host.c:227) <Info> (HostInitConfig) --
> preallocated 5000 hosts of size 96
> [1] 18/12/2013 -- 15:01:53 - (host.c:229) <Info> (HostInitConfig) --
> host memory usage: 651072 bytes, maximum: 17179869184 <tel:17179869184>
> [1] 18/12/2013 -- 15:01:53 - (flow.c:383) <Info> (FlowInitConfig) --
> allocated 2097152 bytes of memory for the flow hash... 65536 buckets
> of size 32
> [1] 18/12/2013 -- 15:01:55 - (flow.c:409) <Info> (FlowInitConfig) --
> preallocated 1000000 flows of size 236
> [1] 18/12/2013 -- 15:01:55 - (flow.c:411) <Info> (FlowInitConfig) --
> flow memory usage: 242097152 bytes, maximum: 4294967296
> [1] 18/12/2013 -- 15:01:55 - (reputation.c:459) <Info> (SRepInit) --
> IP reputation disabled
> [1] 18/12/2013 -- 15:01:55 - (util-magic.c:62) <Info> (MagicInit) --
> using magic-file /usr/local/share/misc/magic.mgc
> [1] 18/12/2013 -- 15:01:55 - (suricata.c:1753) <Info>
> (SetupDelayedDetect) -- Delayed detect disabled
> [1] 18/12/2013 -- 15:02:11 - (detect.c:453) <Info>
> (SigLoadSignatures) -- 49 rule files processed. 15023 rules
> successfully loaded, 0 rules failed
> [1] 18/12/2013 -- 15:02:11 - (detect.c:2564) <Info>
> (SigAddressPrepareStage1) -- 15040 signatures processed. 1039 are
> IP-only rules, 5182 are inspecting packet payload, 10662 inspect
> application layer, 83 are decoder event only
> [1] 18/12/2013 -- 15:02:11 - (detect.c:2570) <Info>
> (SigAddressPrepareStage1) -- building signature grouping structure,
> stage 1: preprocessing rules... complete
> [1] 18/12/2013 -- 15:02:13 - (detect.c:3194) <Info>
> (SigAddressPrepareStage2) -- building signature grouping structure,
> stage 2: building source address list... complete
> [1] 18/12/2013 -- 15:03:39 - (util-mpm-ac.c:430) <Error>
> (SCACInitNewState) -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - SCRealloc
> failed: Not enough space, while trying to allocate 15066112 bytes
> [1] 18/12/2013 -- 15:03:39 - (util-mpm-ac.c:430) <Error>
> (SCACInitNewState) -- [ERRCODE: SC_ERR_FATAL(171)] - Out of memory.
> The engine cannot be initialized. Exiting...
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list