https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022015-06-17T12:25:51ZOpen Information Security FoundationSuricata - Feature #1489: Log a message when memcap limit is reachedhttps://redmine.openinfosecfoundation.org/issues/1489?journal_id=53302015-06-17T12:25:51ZVictor Julienvictor@inliniac.net
<ul></ul><p>I'm not sure Suricata itself should output this, or it could be a done in a lua script based on the stats.</p> Suricata - Feature #1489: Log a message when memcap limit is reachedhttps://redmine.openinfosecfoundation.org/issues/1489?journal_id=53342015-06-17T14:10:12ZAlexander Gozman
<ul></ul><p>Victor Julien wrote:</p>
<blockquote>
<p>I'm not sure Suricata itself should output this, or it could be a done in a lua script based on the stats.</p>
</blockquote>
<p>Yes, it could be done somewhere else. However snort emits debug messages when memcap is exceeded, so it provides a good debugging tool right out of the box. Anyway it's not a priority.</p> Suricata - Feature #1489: Log a message when memcap limit is reachedhttps://redmine.openinfosecfoundation.org/issues/1489?journal_id=53422015-06-28T05:24:39ZPeter Manevpetermanev@gmail.com
<ul></ul><p>I think it is very useful/helpful in terms of debug/tuning to have those (optionally enabled maybe) verbose/dbg msg in suricata.log with regards to memcaps being reached.</p> Suricata - Feature #1489: Log a message when memcap limit is reachedhttps://redmine.openinfosecfoundation.org/issues/1489?journal_id=53932015-07-23T04:48:03ZVictor Julienvictor@inliniac.net
<ul></ul><p>I think if we do such a thing we need a logging method that would allow us to say "log this once" or "log this no more than once a second". Any log message based on traffic is a risk wrt log flooding etc.</p> Suricata - Feature #1489: Log a message when memcap limit is reachedhttps://redmine.openinfosecfoundation.org/issues/1489?journal_id=53942015-07-23T04:48:31ZVictor Julienvictor@inliniac.net
<ul><li><strong>Target version</strong> changed from <i>3.0RC1</i> to <i>TBD</i></li></ul> Suricata - Feature #1489: Log a message when memcap limit is reachedhttps://redmine.openinfosecfoundation.org/issues/1489?journal_id=54222015-08-05T09:10:05ZAlexander Gozman
<ul></ul><p>Victor Julien wrote:</p>
<blockquote>
<p>I think if we do such a thing we need a logging method that would allow us to say "log this once" or "log this no more than once a second". Any log message based on traffic is a risk wrt log flooding etc.</p>
</blockquote>
<p>Well, I think this can be either hardcoded or have a setting in a configuration file (like "memcap-limit-warn-count: 5", value of -1 will log it without any limit). And we can implement a macro like this one:</p>
<p>#define DO_FIRST_N(max, stmt) \<br />do { \<br /> static volatile int logLimiter = 0;\<br /> if (++logLimiter > (max)) \
{ \<br /> break; \<br /> } \<br /> stmt; \<br />} while (0);</p>
<p>And use it like:</p>
<p>DO_FIRST_N(1, SC_LOG_WARNING(...));</p>
<p>Maybe there's more neat and tidy solution :)</p> Suricata - Feature #1489: Log a message when memcap limit is reachedhttps://redmine.openinfosecfoundation.org/issues/1489?journal_id=54402015-08-17T10:07:20ZVictor Julienvictor@inliniac.net
<ul></ul><p>This variable logLimiter will only exist in the scope of the DO_FIRST_N(1, SC_LOG_WARNING(...)); statement, right? How will it be shared between threads or multiple invocations of a code block?</p> Suricata - Feature #1489: Log a message when memcap limit is reachedhttps://redmine.openinfosecfoundation.org/issues/1489?journal_id=54412015-08-17T10:34:17ZAlexander Gozman
<ul></ul><p>Victor Julien wrote:</p>
<blockquote>
<p>This variable logLimiter will only exist in the scope of the DO_FIRST_N(1, SC_LOG_WARNING(...)); statement, right? How will it be shared between threads or multiple invocations of a code block?</p>
</blockquote>
<p>If I remember correctly, static variables have a local scope but a global lifetime. So this one should be shared between threads and work correctly after multiple calls (however, there may be a non-critical race condition with this simple counter). Some time ago I did a quick test, with and without threads, and it seemed to work. <br />Maybe there's another solution for this, but I've tried to implement something like LOG_FIRST_N macro from google logging library (glog).</p> Suricata - Feature #1489: Log a message when memcap limit is reachedhttps://redmine.openinfosecfoundation.org/issues/1489?journal_id=59522016-01-01T17:46:29ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Assignee</strong> set to <i>OISF Dev</i></li></ul> Suricata - Feature #1489: Log a message when memcap limit is reachedhttps://redmine.openinfosecfoundation.org/issues/1489?journal_id=101482018-08-09T10:30:49ZVictor Julienvictor@inliniac.net
<ul><li><strong>Assignee</strong> changed from <i>OISF Dev</i> to <i>Anonymous</i></li><li><strong>Priority</strong> changed from <i>Low</i> to <i>Normal</i></li><li><strong>Effort</strong> set to <i>low</i></li><li><strong>Difficulty</strong> set to <i>low</i></li></ul> Suricata - Feature #1489: Log a message when memcap limit is reachedhttps://redmine.openinfosecfoundation.org/issues/1489?journal_id=112212019-02-23T22:16:58ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Assignee</strong> set to <i>Community Ticket</i></li></ul> Suricata - Feature #1489: Log a message when memcap limit is reachedhttps://redmine.openinfosecfoundation.org/issues/1489?journal_id=139222019-09-26T10:35:10ZVictor Julienvictor@inliniac.net
<ul><li><strong>Related to</strong> <i><a class="issue tracker-4 status-2 priority-4 priority-default" href="/issues/614">Optimization #614</a>: Rate limiting messages</i> added</li></ul>