Project

General

Profile

Actions

Bug #1659

closed

Increasing memory consumption when using live reload

Added by Andreas Herz about 8 years ago. Updated almost 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

This is still an issue, related issues from older times are #492 and maybe even #573 might be involved and also some info is in #1358.
I can reproduce it with sending USR2 for several times and get increased memory usage.
That's with 3.0RC3 and on Debian, Gentoo, Arch, CentOS (no diff between 32/64bit x86).

It's an issue with systems that run for days and have dynamic IPs for example. Those get triggered with USR2 to reload the new HOME_NET info once per day at least.
So in 1 month you have ~40% more memory usage.

It's quite easy to reproduce, run Suricata with default config in af-packet mode on one interface (no traffic needed) with some rules (ETopen in my case) and send a USR2 signal every minute and watch the consumption increase.

Actions #1

Updated by Victor Julien about 8 years ago

As a first step, we need resolve the leaks valgrind reports. They seem minor, but add up over time of course. Here are some I saw in a quick test:

==62801== 7,440 bytes in 120 blocks are definitely lost in loss record 382 of 385
==62801==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==62801==    by 0x5F4B28A: pcre_get_substring (pcre_get.c:499)
==62801==    by 0x8664B6: DetectTlsFingerprintParse (detect-tls.c:631)
==62801==    by 0x8676B3: DetectTlsFingerprintSetup (detect-tls.c:741)
==62801==    by 0x8213A5: SigParseOptions (detect-parse.c:540)
==62801==    by 0x822E54: SigParse (detect-parse.c:858)
==62801==    by 0x826D64: SigInitHelper (detect-parse.c:1370)
==62801==    by 0x827835: SigInit (detect-parse.c:1565)
==62801==    by 0x828478: DetectEngineAppendSig (detect-parse.c:1830)
==62801==    by 0x59557D: DetectLoadSigFile (detect.c:355)
==62801==    by 0x595D8C: ProcessSigFiles (detect.c:417)
==62801==    by 0x596365: SigLoadSignatures (detect.c:482)
==62801==
==62801== 9,600 (1,824 direct, 7,776 indirect) bytes in 38 blocks are definitely lost in loss record 383 of 385
==62801==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==62801==    by 0x701B86: DetectPortInit (detect-engine-port.c:74)
==62801==    by 0x704A3A: DetectPortCopy (detect-engine-port.c:771)
==62801==    by 0x704A8F: DetectPortCopy (detect-engine-port.c:780)
==62801==    by 0x706FA7: DetectPortParseMergeNotPorts (detect-engine-port.c:1278)
==62801==    by 0x707DBD: DetectPortParse (detect-engine-port.c:1419)
==62801==    by 0x821D3B: SigParsePort (detect-parse.c:654)
==62801==    by 0x8228C6: SigParseBasics (detect-parse.c:808)
==62801==    by 0x822AC7: SigParse (detect-parse.c:839)
==62801==    by 0x826D64: SigInitHelper (detect-parse.c:1370)
==62801==    by 0x827835: SigInit (detect-parse.c:1565)
==62801==    by 0x828478: DetectEngineAppendSig (detect-parse.c:1830)

==62801== 156 (72 direct, 84 indirect) bytes in 3 blocks are definitely lost in loss record 298 of 385
==62801==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==62801==    by 0xAAF003: SCRadixCreatePrefix (util-radix-tree.c:144)
==62801==    by 0xAB0BBF: SCRadixAddKey (util-radix-tree.c:522)
==62801==    by 0xAB2BC5: SCRadixAddKeyIPV4Netblock (util-radix-tree.c:897)
==62801==    by 0x6E66DE: IPOnlyPrepare (detect-engine-iponly.c:1197)
==62801==    by 0x5A879A: SigAddressPrepareStage2 (detect.c:3534)
==62801==    by 0x5AD884: SigGroupBuild (detect.c:4671)
==62801==    by 0x596880: SigLoadSignatures (detect.c:538)
==62801==    by 0x63B63B: DetectEngineReload (detect-engine.c:2541)
==62801==    by 0x9ED49A: main (suricata.c:2431)

==62801== 96 bytes in 3 blocks are still reachable in loss record 213 of 385
==62801==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==62801==    by 0x62F3B1: DetectEngineRegisterAppInspectionEngine (detect-engine.c:464)
==62801==    by 0x8275CB: SigInitHelper (detect-parse.c:1503)
==62801==    by 0x827835: SigInit (detect-parse.c:1565)
==62801==    by 0x828478: DetectEngineAppendSig (detect-parse.c:1830)
==62801==    by 0x59557D: DetectLoadSigFile (detect.c:355)
==62801==    by 0x595D8C: ProcessSigFiles (detect.c:417)
==62801==    by 0x596365: SigLoadSignatures (detect.c:482)
==62801==    by 0x9EAE03: LoadSignatures (suricata.c:1951)
==62801==    by 0x9ECDE2: main (suricata.c:2316)

==62801== 72 bytes in 3 blocks are indirectly lost in loss record 189 of 385
==62801==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==62801==    by 0xAAE766: SCRadixAllocSCRadixUserData (util-radix-tree.c:46)
==62801==    by 0xAAF5B3: SCRadixCreatePrefix (util-radix-tree.c:157)
==62801==    by 0xAB0BBF: SCRadixAddKey (util-radix-tree.c:522)
==62801==    by 0xAB2BC5: SCRadixAddKeyIPV4Netblock (util-radix-tree.c:897)
==62801==    by 0x6E66DE: IPOnlyPrepare (detect-engine-iponly.c:1197)
==62801==    by 0x5A879A: SigAddressPrepareStage2 (detect.c:3534)
==62801==    by 0x5AD884: SigGroupBuild (detect.c:4671)
==62801==    by 0x596880: SigLoadSignatures (detect.c:538)
==62801==    by 0x63B63B: DetectEngineReload (detect-engine.c:2541)
==62801==    by 0x9ED49A: main (suricata.c:2431)
==62801==

==62801== 36 bytes in 6 blocks are definitely lost in loss record 99 of 385
==62801==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==62801==    by 0x5F4B28A: pcre_get_substring (pcre_get.c:499)
==62801==    by 0x85562D: DetectSslVersionParse (detect-ssl-version.c:215)
==62801==    by 0x855DF0: DetectSslVersionSetup (detect-ssl-version.c:303)
==62801==    by 0x8213A5: SigParseOptions (detect-parse.c:540)
==62801==    by 0x822E54: SigParse (detect-parse.c:858)
==62801==    by 0x826D64: SigInitHelper (detect-parse.c:1370)
==62801==    by 0x827835: SigInit (detect-parse.c:1565)
==62801==    by 0x828478: DetectEngineAppendSig (detect-parse.c:1830)
==62801==    by 0x59557D: DetectLoadSigFile (detect.c:355)
==62801==    by 0x595D8C: ProcessSigFiles (detect.c:417)
==62801==    by 0x596365: SigLoadSignatures (detect.c:482)
==62801==

==62801== 32 bytes in 1 blocks are still reachable in loss record 96 of 385
==62801==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==62801==    by 0x62F3B1: DetectEngineRegisterAppInspectionEngine (detect-engine.c:464)
==62801==    by 0x827681: SigInitHelper (detect-parse.c:1523)
==62801==    by 0x827835: SigInit (detect-parse.c:1565)
==62801==    by 0x828478: DetectEngineAppendSig (detect-parse.c:1830)
==62801==    by 0x59557D: DetectLoadSigFile (detect.c:355)
==62801==    by 0x595D8C: ProcessSigFiles (detect.c:417)
==62801==    by 0x596365: SigLoadSignatures (detect.c:482)
==62801==    by 0x9EAE03: LoadSignatures (suricata.c:1951)
==62801==    by 0x9ECDE2: main (suricata.c:2316)
==62801==
==62801== 32 bytes in 1 blocks are still reachable in loss record 97 of 385
==62801==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==62801==    by 0x62F3B1: DetectEngineRegisterAppInspectionEngine (detect-engine.c:464)
==62801==    by 0x827637: SigInitHelper (detect-parse.c:1514)
==62801==    by 0x827835: SigInit (detect-parse.c:1565)
==62801==    by 0x828478: DetectEngineAppendSig (detect-parse.c:1830)
==62801==    by 0x59557D: DetectLoadSigFile (detect.c:355)
==62801==    by 0x595D8C: ProcessSigFiles (detect.c:417)
==62801==    by 0x596365: SigLoadSignatures (detect.c:482)
==62801==    by 0x9EAE03: LoadSignatures (suricata.c:1951)
==62801==    by 0x9ECDE2: main (suricata.c:2316)
==62801==

Actions #2

Updated by Victor Julien almost 8 years ago

  • Status changed from New to Closed
  • Target version changed from 70 to 3.0.1

All known issues are fixed.

Actions

Also available in: Atom PDF