Support #305
closedSuricata exits during startup when loading large rule files
Description
Suricata exits with the following error when loading the combined ET and VRT ruleset (~30k rules)
[7069] 27/7/2011 -- 14:14:09 - (detect.c:631) <Info> (SigLoadSignatures) -- 102 rule files processed. 30183 rules succesfully loaded, 164 rules failed
[7069] 27/7/2011 -- 14:14:47 - (detect.c:2161) <Info> (SigAddressPrepareStage1) -- 30701 signatures processed. 1800 are IP-only rules, 20152 are inspecting packet payload, 11088 inspect application layer, 0 are decoder event only
[7069] 27/7/2011 -- 14:14:47 - (detect.c:2164) <Info> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
[7069] 27/7/2011 -- 14:14:48 - (detect.c:2806) <Info> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building source address list... complete
[7069] 27/7/2011 -- 14:16:40 - (detect.c:3363) <Info> (SigAddressPrepareStage3) -- MPM memory 1801173581 (dynamic 1801173581, ctxs 0, avg per ctx 0)
[7069] 27/7/2011 -- 14:16:40 - (detect.c:3365) <Info> (SigAddressPrepareStage3) -- max sig id 30701, array size 3838
[7069] 27/7/2011 -- 14:16:40 - (detect.c:3376) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists... complete
[7069] 27/7/2011 -- 14:16:43 - (detect-engine-siggroup.c:1583) <Error> (SigGroupHeadBuildHeadArray) -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - SCMalloc failed: Cannot allocate memory, while trying to allocate 558852 bytes
[7069] 27/7/2011 -- 14:16:43 - (detect-engine-siggroup.c:1583) <Error> (SigGroupHeadBuildHeadArray) -- [ERRCODE: SC_ERR_FATAL(169)] - Out of memory. The engine cannot be initialized. Exiting...
Watching top (refreshing at .2 sec) during the startup process I noticed a rather large and fast spike in memory utilization up to between 2 and 3 GB, followed by an immediate drop as Suricata exits with the error mentioned above. At no time have I seen the memory utilization exceed 4 GB via top.
Suricata loads and runs fine when using either the ET or the VRT ruleset with significantly less rules included. The error has only happened when using the combined ruleset with ~30k rules. Initial fix was to increase system RAM from 4GB to 8GB. No change. Increased it further to 16 GB and no change.
I've included my suricata.yaml file in case there is a configuration setting in there that I've boned up.
Additionally I've included a file with the results of 'free -m' and the memory stats from running 'collectl' during the startup process. Again the record interval is .2sec. You can see how quickly Suricata spikes then drops right before exiting.
I'm running Suricata 1.1b2 from the tarball on a CentOS 5.6 based VM with 4 cores and 16GB ram allocated. It is the 32bit Kernel, but we just installed the kernel-PAE packages today to allow it to access more than 4GB of ram.
Files