[Oisf-users] HTTP/File Logging not working

Travel Factory S.r.l. mc8647 at mclink.it
Tue May 13 11:15:59 UTC 2014

> Yes, certainly. If we can't track the http session properly, we 
> log it either.

I'm just having a problem that is probably related...

Suricata 2.0, all memcaps set to 1gb. 7 rules. Yesterday at 15:30 I 
started suricata and top reported a VIRT of 3548m.

This morning I had almost no http logs. stats.log was reporting an 
increasing of memcap_drops. top reported 4562m, exaclty 1gb more than 
when suricata started.

I was thinking about a memory leak but.....

... after about 3 hours, memory dropped back to 35xx, memcap_drops 
stopped to increase and http logging restarted.

So I tried to replicate memory increase, downloading iso or similar 
stuff but I was not able to replicate. Memory raises and lowers, now 
is at 4178m.

One cpu went 100% for several minutes, and I'm quite sure it was 
suricata... but I could not understand why...

So my questions:
1 - which kind of lan traffic can raise the memory usage up to memcap 
limits? streaming? downloading? Just traffic?
2 - how suricata decides to free that memory and when?

I want to add that I have this settings active:
            request-body-limit: 0
            response-body-limit: 0


More information about the Oisf-users mailing list