[Oisf-users] Reduce memory consumption - low hanging fruits?

[Andreas Herz]

Hi Timo

On 11/04/20 at 02:37, Timo Sigurdsson wrote:
> I use Suricata 4.1.2 on Debian 10 in IDS mode. It runs pretty well,
> but occasionally (like every 4-5 weeks), the memory consumption grows
> out of hand. My firewall system only has 4GB of RAM and cannot be
> extended (PC Engines APU2). Therefore, I would like to tweak the
> configuration to reduce the memory consumption a bit. I already
> started by shrinking my ruleset down from ~23000 rules to ~15500. That
> didn't seem to do much. After starting Suricata, it uses a few hundred
> megabytes of RAM (200-300MB). This slowly increases to about
> 800-900MB, but then once in a while there are spikes hitting +3GB. I
> have a memory limit defined in the systemd unit for suricata (3.2GB),
> so once it exceeds that, Suricata gets killed and restarted. I can't
> really make out when exactly this happens, but I assume it's when I
> have multiple users maxing out the available bandwidth with streaming,
> downloads and so on. The connection is a PPPoE connection with
> 85MBit/s down and 35Mbit/s up.

I would update to the latest version, ideally switch to v5. I don't see
any huge potential in your configuration as well. Although I don't see
NFLOG used much, so could be a bug as well. When you have a suspicion of
the problematic traffic, try to reproduce it and take a look into the
stats.log especially the memcaps.

> Does memory usage differ among different runmodes? I currently use
> nflog but would it be beneficial to use afpacket instead? One of the
> reasons I like nflog is that I don't need to pass the packets that are
> dropped anyway to Suricata.

It could, it might be worth a try to just use af-packet mode to
double-check if it's related to the method.

-- 
Andreas Herz