[Oisf-users] Memory Allocations

Yasha Zislin coolyasha at hotmail.com
Thu Nov 20 17:50:25 UTC 2014 

I dont know if swap starts to be used by Suricata crashes after couple of days of running.In system logs, I have kernel messages such as this:kernel: RxPFReth22 invoked oom-killer: gfp_mask=0x201da, order=0, oom_adj=0, oom_score_adj=0kernel: RxPFReth22 cpuset=/ mems_allowed=0-1kernel: Pid: 60417, comm: RxPFReth22 Not tainted 2.6.32-504.el6.x86_64 #1
Then after a ton of stack traces and memory errors, I see this:kernel: Out of memory: Kill process 59782 (Suricata-Main) score 985 or sacrifice childKilled process 59782, UID 501, (Suricata-Main) total-vm:135646364kB, anon-rss:108513440kB, file-rss:21329088kB
I wouldnt be suprised that my buffers are set too big.I am just not clear on some sections on how much RAM they use.and also for stream section, do you need to add memcap and reassembly buffers together or are they part of each other? As far as I understand reassembly buffer needs to be higher than memcap.
I have 132gb of RAM. When suricata starts, it is using 64gb
> Date: Thu, 20 Nov 2014 18:21:54 +0100
> Subject: Re: [Oisf-users] Memory Allocations
> From: petermanev at gmail.com
> To: coolyasha at hotmail.com
> CC: oisf-users at lists.openinfosecfoundation.org
> 
> On Mon, Nov 17, 2014 at 3:45 PM, Yasha Zislin <coolyasha at hotmail.com> wrote:
> > I am having issues with Suricata crashing due to running out of memory.
> > I just wanted to clarify certain sections of config that I am doing my
> > calculations correctly.
> >
> > max-pending-packets 65000           ------- Does that use a lot of Ram?
> >
> > So for defrag and flow sections, whatever memcap values I set, that's what
> > the maximum that can be used, correct?
> >
> > Stream section is a bit unclear to me. Memcap for Stream and Memcap for
> > Reassembly, how do they relate? Which one should be bigger?
> >
> > Host section, once again, memcap is the maximum RAM that would be used?
> >
> > And lastly, libhtp section, request and response -body-limit values, is that
> > maximum memory utilization of LIBHTP?
> >
> > Thanks.
> >
> 
> 
> Hi,
> 
> You mean you are running into swap, correct?
> 
> If you sum up all the memcap values you have given in suricata.yaml -
> would that be less than what you actually  have as RAM on the server
> running Suricata?
> 
> Thank you
> 
> 
> -- 
> Regards,
> Peter Manev
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141120/4e21761b/attachment-0002.html>

More information about the Oisf-users mailing list