[Oisf-users] Suricata v2.1beta2 with geoip and high ram consumption

Jay M. jskier at gmail.com
Tue Jan 6 20:38:14 UTC 2015 

Back up to 22 gigabytes of allocated RAM again and swap is getting
eaten. This is with af-packet mode.

I still have local (including geo) and pass rules on, I'll disable
those to see if that makes a difference.

Recent mem info from stats.log:
tcp.memuse                | Detect                    | 2151712
dns.memuse                | Detect                    | 491909
dns.memcap_state          | Detect                    | 0
dns.memcap_global         | Detect                    | 0
tcp.segment_memcap_drop   | Detect                    | 0
tcp.reassembly_memuse     | Detect                    | 121327432
http.memuse               | Detect                    | 70717572
http.memcap               | Detect                    | 0
flow.memuse               | FlowManagerThread         | 8889408

Let me know if you have any questions or need anything else,
--
Jay
jskier at gmail.com


On Tue, Jan 6, 2015 at 8:20 AM, Jay M. <jskier at gmail.com> wrote:
> Changed systemd unit file for afpacket (and verbose switch) and
> started. Had configured for 8 threads to match the cores on the vCPU.
> Reload occured shortly after it started and it went from 7 to 14
> gigabytes allocated. I'll let this perculate for a couple of days.
> --
> Jay
> jskier at gmail.com
>
>
> On Tue, Jan 6, 2015 at 8:02 AM, Jay M. <jskier at gmail.com> wrote:
>> That was in pcap live mode. Switching over to af_packet shortly here.
>> --
>> Jay
>> jskier at gmail.com
>>
>>
>> On Tue, Jan 6, 2015 at 7:56 AM, Peter Manev <petermanev at gmail.com> wrote:
>>> On Tue, Jan 6, 2015 at 2:54 PM, Jay M. <jskier at gmail.com> wrote:
>>>> Correction, I meant inline IDS not IPS. I'll try that for science
>>>> anyway. What I meant was I am doing out of band monitoring only with
>>>> suricata, not using it as an inline IDS, so any blocking would be
>>>> irrelevant.
>>>>
>>>> FYI, I'm up to 20 gigabytes of allocated ram this morning after
>>>> turning on the timer to reload every two hours and testing some custom
>>>> rules I did yesterday.
>>>> --
>>>> Jay
>>>> jskier at gmail.com
>>>>
>>>>
>>>
>>> Is that af_packet or pcap mode?
>>>
>>> --
>>> Regards,
>>> Peter Manev

More information about the Oisf-users mailing list