[Oisf-users] Memory Allocations

Peter Manev petermanev at gmail.com
Thu Nov 20 17:58:26 UTC 2014 

On Thu, Nov 20, 2014 at 6:50 PM, Yasha Zislin <coolyasha at hotmail.com> wrote:
> I dont know if swap starts to be used by Suricata crashes after couple of
> days of running.
> In system logs, I have kernel messages such as this:
> kernel: RxPFReth22 invoked oom-killer: gfp_mask=0x201da, order=0, oom_adj=0,
> oom_score_adj=0
> kernel: RxPFReth22 cpuset=/ mems_allowed=0-1
> kernel: Pid: 60417, comm: RxPFReth22 Not tainted 2.6.32-504.el6.x86_64 #1
>
> Then after a ton of stack traces and memory errors, I see this:
> kernel: Out of memory: Kill process 59782 (Suricata-Main) score 985 or
> sacrifice child
> Killed process 59782, UID 501, (Suricata-Main) total-vm:135646364kB,
> anon-rss:108513440kB, file-rss:21329088kB
>
> I wouldnt be suprised that my buffers are set too big.
> I am just not clear on some sections on how much RAM they use.
> and also for stream section, do you need to add memcap and reassembly
> buffers together or are they part of each other? As far as I understand
> reassembly buffer needs to be higher than memcap.
>
> I have 132gb of RAM. When suricata starts, it is using 64gb


Which Suricata version are you using?
What is the total memcap sum values in your suricata.yaml?


>
>> Date: Thu, 20 Nov 2014 18:21:54 +0100
>> Subject: Re: [Oisf-users] Memory Allocations
>> From: petermanev at gmail.com
>> To: coolyasha at hotmail.com
>> CC: oisf-users at lists.openinfosecfoundation.org
>
>>
>> On Mon, Nov 17, 2014 at 3:45 PM, Yasha Zislin <coolyasha at hotmail.com>
>> wrote:
>> > I am having issues with Suricata crashing due to running out of memory.
>> > I just wanted to clarify certain sections of config that I am doing my
>> > calculations correctly.
>> >
>> > max-pending-packets 65000 ------- Does that use a lot of Ram?
>> >
>> > So for defrag and flow sections, whatever memcap values I set, that's
>> > what
>> > the maximum that can be used, correct?
>> >
>> > Stream section is a bit unclear to me. Memcap for Stream and Memcap for
>> > Reassembly, how do they relate? Which one should be bigger?
>> >
>> > Host section, once again, memcap is the maximum RAM that would be used?
>> >
>> > And lastly, libhtp section, request and response -body-limit values, is
>> > that
>> > maximum memory utilization of LIBHTP?
>> >
>> > Thanks.
>> >
>>
>>
>> Hi,
>>
>> You mean you are running into swap, correct?
>>
>> If you sum up all the memcap values you have given in suricata.yaml -
>> would that be less than what you actually have as RAM on the server
>> running Suricata?
>>
>> Thank you
>>
>>
>> --
>> Regards,
>> Peter Manev



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list