[Oisf-users] Loading Large Number of Rules produce different results
GORHAM JOHNSON, OZELINA
og1939 at att.com
Mon Apr 8 16:21:31 UTC 2019
When loading certain types of signatures received the follow error
Critical> - [ERRCODE: SC_ERR_AHO_CORASICK(174)] - Just ran out of space in the queue. Fatal Error. Exiting. Please file a bug report on this
After increasing the STATE_QUEUE_CONTAINER_SIZE to 524288 the rule file loaded but found an anomaly.
1. Why is it that 'STATE_QUEUE_CONTAINER_SIZE' does not always need to be increased to load a large number of rules (see below).
2. What is the highest number of rules the suricata can handle, assuming no limitation to memory? Tried increasing STATE_QUEUE_CONTAINER_SIZE to 1048576 and get a segmentation fault at startup.
Attached are two files used to load 70k rules.
Using - Suricata version 4.1.2 RELEASE
Test results with: STATE_QUEUE_CONTAINER_SIZE = 524288
rule70k-1.rules
8/4/2019 -- 15:57:10 - <Info> - 1 rule files processed. 70000 rules successfully loaded, 0 rules failed
8/4/2019 -- 15:57:10 - <Info> - Threshold config parsed: 0 rule(s) found
8/4/2019 -- 15:57:11 - <Info> - 70000 signatures processed. 0 are IP-only rules, 70000 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
8/4/2019 -- 15:57:13 - <Info> - cleaning up signature grouping structure... complete
8/4/2019 -- 15:57:13 - <Notice> - rule reload complete
rule70k-3.rules
8/4/2019 -- 15:47:58 - <Info> - 1 rule files processed. 70000 rules successfully loaded, 0 rules fai
led
8/4/2019 -- 15:47:58 - <Info> - Threshold config parsed: 0 rule(s) found
8/4/2019 -- 15:48:02 - <Info> - 70000 signatures processed. 0 are IP-only rules, 70000 are inspectin
g packet payload, 0 inspect application layer, 0 are decoder event only
8/4/2019 -- 15:48:06 - <Critical> - [ERRCODE: SC_ERR_AHO_CORASICK(174)] - Just ran out of space in t
he queue. Fatal Error. Exiting. Please file a bug report on this
Thanks,
Ena Gorham Johnson
AT&T Labs
(470) 378-7867
This communication may contain information that is privileged, or confidential. If you are not the intended recipient, please note FYI that any dissemination, distribution or copying of this communication is strictly prohibited. Anyone who receives this message in error should notify the sender immediately by telephone or by return e-mail and delete it from his or her computer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190408/4dacc7d0/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rules.zip
Type: application/x-zip-compressed
Size: 3021189 bytes
Desc: rules.zip
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190408/4dacc7d0/attachment-0001.bin>
More information about the Oisf-users
mailing list