Suricata needs all available RAM

Started by PotatoCarl, November 06, 2019, 09:48:45 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 06, 2019, 09:48:45 AM
Hi
I am running on a Deciso appliance and I enabled Suricata. However, it hogs up 4 of 4GB ram and after a couple of days it breaks the machine. Especially when I update all rules reproducible. I found this actually when I checked the rules and found that they have - despite the cron job - not been updated for 5 months, expect one.
Is this a) a memory leak that is a bug or b) is there a way to configure it with less use of memory. Is there a recommended configuration?
I use a longer list of rules, like snort, ET, OpenSense, abuse.
Thanks for you help.
November 06, 2019, 12:14:46 PM #1
URLhaus is quite a huge list .. maybe at first you should start with a small set of enabled rules?
November 06, 2019, 12:23:15 PM #2
thank you. Which one is URLhaus?
November 06, 2019, 02:52:08 PM #3
Okay, found it, removed it, but nothing solved. Same problem. Takes a couple of minutes and ram load jumps from 60 to 96%, system slows aaaaaand stops.
Saw in another thread here that there are maybe some bugs with the 5.0 version I am using at this time (19.7.6) so maybe with 19.7.7 it will be okay. I hope.
November 06, 2019, 04:35:39 PM #4
Can you check the logs? Suricata 5 is only shipped in devel mode.
November 06, 2019, 05:21:04 PM #5
logs say "empty".
Under "alarms" I have only 7 "allowed" entries, nothing else.
November 06, 2019, 05:36:49 PM #6
Are you sure? 19.7.6 does not have Suricata 5, only the development equivalent.
November 10, 2019, 02:32:36 PM #7
I'm experiencing exactly the same. Running OPNSense on a VM in ProxMox.
After enabling suricata - traffic still flows but the webinterface / ssh & even the console via ProxMox aren't responding anymore. CPU jumps up to 60/70% and stays there.
Print
Go Up Pages1
User actions