Actions
Bug #1659
closedIncreasing memory consumption when using live reload
Added by Andreas Herz about 10 years ago. Updated almost 10 years ago.
Affected Versions:
Effort:
Difficulty:
Label:
Description
This is still an issue, related issues from older times are #492 and maybe even #573 might be involved and also some info is in #1358.
I can reproduce it with sending USR2 for several times and get increased memory usage.
That's with 3.0RC3 and on Debian, Gentoo, Arch, CentOS (no diff between 32/64bit x86).
It's an issue with systems that run for days and have dynamic IPs for example. Those get triggered with USR2 to reload the new HOME_NET info once per day at least.
So in 1 month you have ~40% more memory usage.
It's quite easy to reproduce, run Suricata with default config in af-packet mode on one interface (no traffic needed) with some rules (ETopen in my case) and send a USR2 signal every minute and watch the consumption increase.
Updated by Victor Julien about 10 years ago
As a first step, we need resolve the leaks valgrind reports. They seem minor, but add up over time of course. Here are some I saw in a quick test:
==62801== 7,440 bytes in 120 blocks are definitely lost in loss record 382 of 385 ==62801== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==62801== by 0x5F4B28A: pcre_get_substring (pcre_get.c:499) ==62801== by 0x8664B6: DetectTlsFingerprintParse (detect-tls.c:631) ==62801== by 0x8676B3: DetectTlsFingerprintSetup (detect-tls.c:741) ==62801== by 0x8213A5: SigParseOptions (detect-parse.c:540) ==62801== by 0x822E54: SigParse (detect-parse.c:858) ==62801== by 0x826D64: SigInitHelper (detect-parse.c:1370) ==62801== by 0x827835: SigInit (detect-parse.c:1565) ==62801== by 0x828478: DetectEngineAppendSig (detect-parse.c:1830) ==62801== by 0x59557D: DetectLoadSigFile (detect.c:355) ==62801== by 0x595D8C: ProcessSigFiles (detect.c:417) ==62801== by 0x596365: SigLoadSignatures (detect.c:482) ==62801== ==62801== 9,600 (1,824 direct, 7,776 indirect) bytes in 38 blocks are definitely lost in loss record 383 of 385 ==62801== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==62801== by 0x701B86: DetectPortInit (detect-engine-port.c:74) ==62801== by 0x704A3A: DetectPortCopy (detect-engine-port.c:771) ==62801== by 0x704A8F: DetectPortCopy (detect-engine-port.c:780) ==62801== by 0x706FA7: DetectPortParseMergeNotPorts (detect-engine-port.c:1278) ==62801== by 0x707DBD: DetectPortParse (detect-engine-port.c:1419) ==62801== by 0x821D3B: SigParsePort (detect-parse.c:654) ==62801== by 0x8228C6: SigParseBasics (detect-parse.c:808) ==62801== by 0x822AC7: SigParse (detect-parse.c:839) ==62801== by 0x826D64: SigInitHelper (detect-parse.c:1370) ==62801== by 0x827835: SigInit (detect-parse.c:1565) ==62801== by 0x828478: DetectEngineAppendSig (detect-parse.c:1830) ==62801== 156 (72 direct, 84 indirect) bytes in 3 blocks are definitely lost in loss record 298 of 385 ==62801== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==62801== by 0xAAF003: SCRadixCreatePrefix (util-radix-tree.c:144) ==62801== by 0xAB0BBF: SCRadixAddKey (util-radix-tree.c:522) ==62801== by 0xAB2BC5: SCRadixAddKeyIPV4Netblock (util-radix-tree.c:897) ==62801== by 0x6E66DE: IPOnlyPrepare (detect-engine-iponly.c:1197) ==62801== by 0x5A879A: SigAddressPrepareStage2 (detect.c:3534) ==62801== by 0x5AD884: SigGroupBuild (detect.c:4671) ==62801== by 0x596880: SigLoadSignatures (detect.c:538) ==62801== by 0x63B63B: DetectEngineReload (detect-engine.c:2541) ==62801== by 0x9ED49A: main (suricata.c:2431) ==62801== 96 bytes in 3 blocks are still reachable in loss record 213 of 385 ==62801== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==62801== by 0x62F3B1: DetectEngineRegisterAppInspectionEngine (detect-engine.c:464) ==62801== by 0x8275CB: SigInitHelper (detect-parse.c:1503) ==62801== by 0x827835: SigInit (detect-parse.c:1565) ==62801== by 0x828478: DetectEngineAppendSig (detect-parse.c:1830) ==62801== by 0x59557D: DetectLoadSigFile (detect.c:355) ==62801== by 0x595D8C: ProcessSigFiles (detect.c:417) ==62801== by 0x596365: SigLoadSignatures (detect.c:482) ==62801== by 0x9EAE03: LoadSignatures (suricata.c:1951) ==62801== by 0x9ECDE2: main (suricata.c:2316) ==62801== 72 bytes in 3 blocks are indirectly lost in loss record 189 of 385 ==62801== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==62801== by 0xAAE766: SCRadixAllocSCRadixUserData (util-radix-tree.c:46) ==62801== by 0xAAF5B3: SCRadixCreatePrefix (util-radix-tree.c:157) ==62801== by 0xAB0BBF: SCRadixAddKey (util-radix-tree.c:522) ==62801== by 0xAB2BC5: SCRadixAddKeyIPV4Netblock (util-radix-tree.c:897) ==62801== by 0x6E66DE: IPOnlyPrepare (detect-engine-iponly.c:1197) ==62801== by 0x5A879A: SigAddressPrepareStage2 (detect.c:3534) ==62801== by 0x5AD884: SigGroupBuild (detect.c:4671) ==62801== by 0x596880: SigLoadSignatures (detect.c:538) ==62801== by 0x63B63B: DetectEngineReload (detect-engine.c:2541) ==62801== by 0x9ED49A: main (suricata.c:2431) ==62801== ==62801== 36 bytes in 6 blocks are definitely lost in loss record 99 of 385 ==62801== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==62801== by 0x5F4B28A: pcre_get_substring (pcre_get.c:499) ==62801== by 0x85562D: DetectSslVersionParse (detect-ssl-version.c:215) ==62801== by 0x855DF0: DetectSslVersionSetup (detect-ssl-version.c:303) ==62801== by 0x8213A5: SigParseOptions (detect-parse.c:540) ==62801== by 0x822E54: SigParse (detect-parse.c:858) ==62801== by 0x826D64: SigInitHelper (detect-parse.c:1370) ==62801== by 0x827835: SigInit (detect-parse.c:1565) ==62801== by 0x828478: DetectEngineAppendSig (detect-parse.c:1830) ==62801== by 0x59557D: DetectLoadSigFile (detect.c:355) ==62801== by 0x595D8C: ProcessSigFiles (detect.c:417) ==62801== by 0x596365: SigLoadSignatures (detect.c:482) ==62801== ==62801== 32 bytes in 1 blocks are still reachable in loss record 96 of 385 ==62801== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==62801== by 0x62F3B1: DetectEngineRegisterAppInspectionEngine (detect-engine.c:464) ==62801== by 0x827681: SigInitHelper (detect-parse.c:1523) ==62801== by 0x827835: SigInit (detect-parse.c:1565) ==62801== by 0x828478: DetectEngineAppendSig (detect-parse.c:1830) ==62801== by 0x59557D: DetectLoadSigFile (detect.c:355) ==62801== by 0x595D8C: ProcessSigFiles (detect.c:417) ==62801== by 0x596365: SigLoadSignatures (detect.c:482) ==62801== by 0x9EAE03: LoadSignatures (suricata.c:1951) ==62801== by 0x9ECDE2: main (suricata.c:2316) ==62801== ==62801== 32 bytes in 1 blocks are still reachable in loss record 97 of 385 ==62801== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==62801== by 0x62F3B1: DetectEngineRegisterAppInspectionEngine (detect-engine.c:464) ==62801== by 0x827637: SigInitHelper (detect-parse.c:1514) ==62801== by 0x827835: SigInit (detect-parse.c:1565) ==62801== by 0x828478: DetectEngineAppendSig (detect-parse.c:1830) ==62801== by 0x59557D: DetectLoadSigFile (detect.c:355) ==62801== by 0x595D8C: ProcessSigFiles (detect.c:417) ==62801== by 0x596365: SigLoadSignatures (detect.c:482) ==62801== by 0x9EAE03: LoadSignatures (suricata.c:1951) ==62801== by 0x9ECDE2: main (suricata.c:2316) ==62801==
Updated by Victor Julien almost 10 years ago
- Status changed from New to Closed
- Target version changed from 70 to 3.0.1
All known issues are fixed.
Actions