Just ran out of space in queue - Suricata Crash

Started by Georges, September 29, 2020, 12:37:29 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 29, 2020, 12:37:29 PM
Hello, i got this error, any idea?

September 29, 2020, 02:26:22 PM #1
This is probably related to the problem I and several others have, possibly pointing to some rulesets growing massively and causing errors. I have to disable abuse.ch/URLhaus to start suricata.

I did get the same error as you during my trial and errors..
September 29, 2020, 06:45:38 PM #2
ok thanks!
September 30, 2020, 10:32:10 AM #3
A few hours later, my box is able to load the list again but it takes 25 minutes to reload the rules so I expect suricata to come crashing down any day soon due to the size of the rule set. It could also be a temporary corrupt rule set at URLhaus that now is fixed.
September 30, 2020, 06:08:16 PM #4
Hi everyone,

the same issue here:
2020-09-28T21:43:16   suricata[80031]   [100112] <Critical> -- [ERRCODE: SC_ERR_AHO_CORASICK(174)] - Just ran out of space in the queue.  Fatal Error.  Exiting.  Please file a bug report on this
2020-09-28T21:35:15   suricata[42527]   [100265] <Notice> -- This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
2020-09-28T19:45:03   suricata[39423]   [100184] <Critical> -- [ERRCODE: SC_ERR_AHO_CORASICK(174)] - Just ran out of space in the queue.  Fatal Error.  Exiting.  Please file a bug report on this

Any hints that could lead to the solution or workaround? Thank you!
October 05, 2020, 09:25:37 AM #5 Last Edit: October 05, 2020, 10:45:19 AM by meschmesch
Same problem here.
Code Select
2020-10-02T23:34:46 suricata[11312] [101016] <Critical> -- [ERRCODE: SC_ERR_AHO_CORASICK(174)] - Just ran out of space in the queue. Fatal Error. Exiting. Please file a bug report on this
2020-10-02T23:29:48 suricata[94676] [100093] <Notice> -- This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
2020-10-01T21:04:05 suricata[23078] [100122] <Critical> -- [ERRCODE: SC_ERR_AHO_CORASICK(174)] - Just ran out of space in the queue. Fatal Error. Exiting. Please file a bug report on this

Disabling of abuse.ch/URLhaus did help, but this is not a solution. By the way, I have plenty of memory available, in total 8GB RAM, and with URLhaus enabled still 35% Ram left free.
October 11, 2020, 07:03:45 PM #6
Hello,
isn't there any solution? None any idea?
October 13, 2020, 12:16:24 PM #7
No :/.
For now when i start the suricata on one of my interface, the interface crash and can't communicate anymore...
I have to restart the VM to make it work and stop suricata.
October 22, 2020, 05:19:42 PM #8
Same issue here
Code Select
2020-10-21T08:53:20 suricata[52318] [101262] <Critical> -- [ERRCODE: SC_ERR_AHO_CORASICK(174)] - Just ran out of space in the queue. Fatal Error. Exiting. Please file a bug report on this
2020-10-21T08:47:24 suricata[52303] [100253] <Notice> -- This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
October 22, 2020, 05:36:17 PM #9
How can I delete Surricata rules? I was playing with various sources and now have 217048 rules on the system, all set to Alert. Just want to delete them all and download only what I need.
Disabling alerting is really PITA as one can do only 1000 rules at a time. I prefer to delete them all and start from scratch.
April 19, 2025, 01:37:38 PM #10
Hi,

since today we have the same issue.

We are just using ET telemetry rulesets.

Is there anything I can do?

Memory and diskspace is available.

April 21, 2025, 02:48:17 PM #11
Try changing to "Hyperscan", that has resolved it for us at least temporarily.
May 06, 2025, 07:55:06 PM #12
Its still not working. I dont know why you would have to leave a ruleset out. I think the whole set is only a couple hundred MBytes. I will try altering the scan to hyperdrive if thats not the default. But this problem [running out of space] needs to be resolved in the main system programming.
May 06, 2025, 11:45:13 PM #13
I changed IPS>Administratiom>Settings Advanced and changed pattern matcher to Hyperscan
As pointed out by user geotek
And Detect profile to medium, may not have needed to change that
Its working for now
May 07, 2025, 01:16:36 AM #14 Last Edit: May 07, 2025, 01:42:10 AM by g29
Quote from: someone on May 06, 2025, 11:45:13 PMI changed IPS>Administratiom>Settings Advanced and changed pattern matcher to Hyperscan
As pointed out by user geotek
And Detect profile to medium, may not have needed to change that
Its working for now

This is Suricata version 7.0.10 RELEASE running in SYSTEM mode

229,718 Rules

"Error   suricata   [100736] <Error> -- Just ran out of space in the queue. Please file a bug report on this"

Web GUI > Services > Intrusion Detection > Administration > Settings > Advanced:  (Hyperscan and Medium)

Thanks for posting the queue size work around. 

I am just learning OPNsense and the queue size error started today enabling/configuring Suricata. 

It looks like the Suricata rule processing is single threaded (had a ssh top window running). 

I have 8 threads and 32GB of memory and it still ran out of queue space.

The work around in your post resolved this.

Print
Go Up Pages1
User actions