Actions
Bug #3516
closedSuricata Out of memory: Kill process
Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:
Description
hi, team:
I deployed Suricata v5.0.2 on an EC2 instance on AWS, use the analysis of VXLAN protocol to get DNS data ( Only mirrored DNS traffic )。An out-of-memory alarm event recently occurred on this machine.
This problem happens every day, I hope you guys can help me, I wonder if I need to add another server?
Sample from kern.log:
Mar 7 06:25:09 ip-10-180-102-245 kernel: [99601.312428] new mount options do not match the existing superblock, will be ignored
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718745] W#03-ens5 invoked oom-killer: gfp_mask=0x14200ca(GFP_HIGHUSER_MOVABLE), nodemask=(null), order=0, oom_score_adj=0
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718747] W#03-ens5 cpuset=/ mems_allowed=0
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718751] CPU: 3 PID: 21372 Comm: W#03-ens5 Not tainted 4.15.0-1060-aws #62-Ubuntu
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718752] Hardware name: Amazon EC2 c5n.4xlarge/, BIOS 1.0 10/16/2017
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718753] Call Trace:
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718761] dump_stack+0x6d/0x8e
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718764] dump_header+0x71/0x285
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718767] ? security_capable_noaudit+0x4b/0x70
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718769] oom_kill_process+0x21f/0x420
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718770] out_of_memory+0x116/0x4e0
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718772] __alloc_pages_slowpath+0xa53/0xe00
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718774] __alloc_pages_nodemask+0x29a/0x2c0
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718777] alloc_pages_current+0x6a/0xe0
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718780] __page_cache_alloc+0x81/0xa0
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718782] filemap_fault+0x3ea/0x6f0
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718784] ? filemap_map_pages+0x181/0x390
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718786] ext4_filemap_fault+0x31/0x44
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718788] __do_fault+0x5b/0x115
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718789] __handle_mm_fault+0xdef/0x1290
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718792] ? futex_wake+0x8f/0x180
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718794] handle_mm_fault+0xb1/0x210
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718797] __do_page_fault+0x281/0x4b0
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718800] ? ktime_get_ts64+0x51/0xf0
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718801] do_page_fault+0x2e/0xe0
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718805] ? async_page_fault+0x2f/0x50
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718809] do_async_page_fault+0x51/0x80
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718810] async_page_fault+0x45/0x50
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718812] RIP: 0033:0x7f5a929b3ad0
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718813] RSP: 002b:00007f5a8f484d78 EFLAGS: 00010287
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718814] RAX: 00007f5a842677e0 RBX: 00007f5a842677e0 RCX: 0000000000000000
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718815] RDX: 000000000000003f RSI: 00007f5a8c43a0c2 RDI: 00007f5a84267b80
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718815] RBP: 00007f5a84268180 R08: 000000000000003f R09: 0000000000000003
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718816] R10: 0000000000000055 R11: 00007f5a8c43a0ac R12: 0000000000000003
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718817] R13: 0000563973654170 R14: 00007f5a8427a090 R15: 00007f5a8c43a0c2
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718818] Mem-Info:
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718821] active_anon:10339830 inactive_anon:429 isolated_anon:0
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718821] active_file:129 inactive_file:56 isolated_file:0
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718821] unevictable:0 dirty:16 writeback:0 unstable:0
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718821] slab_reclaimable:23954 slab_unreclaimable:35917
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718821] mapped:1293 shmem:502 pagetables:22019 bounce:0
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718821] free:58985 free_pcp:244 free_cma:0
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718824] Node 0 active_anon:41359320kB inactive_anon:1716kB active_file:516kB inactive_file:224kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:
5172kB dirty:64kB writeback:0kB shmem:2008kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 96256kB writeback_tmp:0kB unstable:0kB all_unreclaimable? no
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718825] Node 0 DMA free:15908kB min:24kB low:36kB high:48kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0
kB present:15992kB managed:15908kB mlocked:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718828] lowmem_reserve[]: 0 2972 41199 41199 41199
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718830] Node 0 DMA32 free:157744kB min:4872kB low:7916kB high:10960kB active_anon:2892356kB inactive_anon:0kB active_file:168kB inactive_file:88kB unevictable
:0kB writepending:0kB present:3129316kB managed:3063748kB mlocked:0kB kernel_stack:80kB pagetables:5796kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718832] lowmem_reserve[]: 0 0 38226 38226 38226
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718834] Node 0 Normal free:62288kB min:62680kB low:101824kB high:140968kB active_anon:38467196kB inactive_anon:1716kB active_file:512kB inactive_file:1224kB u
nevictable:0kB writepending:0kB present:39845888kB managed:39148676kB mlocked:0kB kernel_stack:7200kB pagetables:82280kB bounce:0kB free_pcp:976kB local_pcp:104kB free_cma:0kB
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718837] lowmem_reserve[]: 0 0 0 0 0
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718838] Node 0 DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718844] Node 0 DMA32: 8894*4kB (UME) 743*8kB (UME) 573*16kB (UME) 439*32kB (UME) 317*64kB (UME) 201*128kB (UME) 83*256kB (UME) 27*512kB (UME) 12*1024kB (UME)
0*2048kB 0*4096kB = 158112kB
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718850] Node 0 Normal: 494*4kB (UME) 406*8kB (UME) 3556*16kB (UME) 81*32kB (UME) 6*64kB (M) 2*128kB (M) 1*256kB (M) 0*512kB 0*1024kB 0*2048kB 0*4096kB = 65608
kB
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718856] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=1048576kB
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718857] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718857] 1223 total pagecache pages
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718858] 0 pages in swap cache
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718859] Swap cache stats: add 0, delete 0, find 0/0
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718859] Free swap = 0kB
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718860] Total swap = 0kB
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718860] 10747799 pages RAM
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718861] 0 pages HighMem/MovableOnly
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718861] 190716 pages reserved
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718862] 0 pages cma reserved
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718862] 0 pages hwpoisoned
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718863] [ pid ] uid tgid total_vm rss pgtables_bytes swapents oom_score_adj name
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718876] [ 759] 0 759 11901 114 131072 0 0 rpcbind
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718877] [ 1068] 0 1068 72022 248 196608 0 0 accounts-daemon
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718879] [ 1073] 0 1073 192063 925 204800 0 0 amazon-ssm-agen
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718881] [ 1078] 103 1078 12635 287 151552 0 -900 dbus-daemon
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718882] [ 1119] 0 1119 17697 240 180224 0 0 systemd-logind
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718883] [ 1123] 0 1123 7083 52 102400 0 0 atd
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718885] [ 1137] 0 1137 42706 1945 221184 0 0 networkd-dispat
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718886] [ 1150] 0 1150 46917 1978 253952 0 0 unattended-upgr
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718887] [ 1154] 0 1154 77203 97 98304 0 0 lxcfs
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718888] [ 1159] 0 1159 7962 75 102400 0 0 cron
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718890] [ 1167] 0 1167 16563 3517 167936 0 0 supervisord
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718891] [ 1197] 0 1197 717602 3521 524288 0 -999 containerd
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718892] [ 1232] 0 1232 72221 211 208896 0 0 polkitd
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718893] [ 1252] 0 1252 4103 37 69632 0 0 agetty
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718895] [ 1258] 0 1258 18075 188 184320 0 -1000 sshd
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718897] [ 1271] 0 1271 3722 32 69632 0 0 agetty
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718898] [ 4746] 100 4746 17998 184 172032 0 0 systemd-network
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718899] [ 4778] 101 4778 17660 167 180224 0 0 systemd-resolve
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718901] [ 4807] 62583 4807 35484 148 188416 0 0 systemd-timesyn
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718902] [ 4832] 0 4832 25988 2438 229376 0 0 systemd-journal
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718904] [ 8661] 106 8661 7149 45 102400 0 0 uuidd
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718905] [ 8852] 0 8852 10801 262 114688 0 -1000 systemd-udevd
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718906] [10433] 0 10433 27632 100 110592 0 0 irqbalance
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718908] [12403] 0 12403 750983 3798 507904 0 -900 snapd
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718909] [15024] 0 15024 24427 45 90112 0 0 lvmetad
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718910] [21396] 102 21396 66818 363 180224 0 0 rsyslogd
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718911] [12620] 114 12620 24471 214 225280 0 0 zabbix_agentd
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718913] [12640] 114 12640 24471 534 217088 0 0 zabbix_agentd
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718914] [12642] 114 12642 24471 254 217088 0 0 zabbix_agentd
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718915] [12643] 114 12643 24471 254 217088 0 0 zabbix_agentd
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718916] [12646] 114 12646 24471 254 217088 0 0 zabbix_agentd
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718917] [12647] 114 12647 24471 238 217088 0 0 zabbix_agentd
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718919] [21369] 0 21369 10465803 10203806 82219008 0 0 Suricata-Main
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718920] [12700] 0 12700 811505 107586 1581056 0 0 filebeat
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718921] [20638] 0 20638 9091 245 90112 0 0 ossec-execd
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718923] [20643] 113 20643 64696 423 126976 0 0 ossec-agentd
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718924] [20650] 0 20650 28048 860 102400 0 0 ossec-syscheckd
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718925] [20655] 0 20655 101282 329 135168 0 0 ossec-logcollec
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718927] [20665] 0 20665 104394 766 159744 0 0 wazuh-modulesd
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718928] [24815] 0 24815 491679 2218 479232 0 0 filebeat
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718930] [24679] 0 24679 204869 553 258048 0 0 kubelet
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.718932] Out of memory: Kill process 21369 (Suricata-Main) score 939 or sacrifice child
Mar 7 17:50:13 ip-10-180-102-245 kernel: [140705.722647] Killed process 21369 (Suricata-Main) total-vm:41863212kB, anon-rss:40815224kB, file-rss:0kB, shmem-rss:0kB
Mar 7 17:50:16 ip-10-180-102-245 kernel: [140708.385798] oom_reaper: reaped process 21369 (Suricata-Main), now anon-rss:0kB, file-rss:3584kB, shmem-rss:0kB
Mar 7 17:50:17 ip-10-180-102-245 kernel: [140709.304162] device ens5 left promiscuous mode
Mar 7 17:50:18 ip-10-180-102-245 kernel: [140710.614528] device ens5 entered promiscuous mode
EC2 Config:
c5n.4xlarge
vCPU: 16
Mem: 42G
OS
Linux ip-10-180-102-245 4.15.0-1060-aws #62-Ubuntu SMP Tue Feb 11 21:23:22 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Suricata version
This is Suricata version 5.0.2 RELEASE
Suricata Config
- eve-log:
enabled: yes
filetype: regular
filemode: 644
filename: dns_query-%Y-%m-%d-%H:%M.json
rotate-interval: 30m
metadata: yes
pcap-file: false
community-id: false
community-id-seed: 0
types:
- dns:
version: 2
requests: yes
responses: no
types: [a, cname, mx, ns, ptr, txt]
- eve-log:
enabled: yes
filetype: regular
filemode: 644
filename: dns_answer-%Y-%m-%d-%H:%M.json
rotate-interval: 30m
metadata: yes
pcap-file: false
community-id: false
community-id-seed: 0
types:
- dns:
version: 2
requests: no
responses: yes
formats: [grouped] #[detailed, grouped]
types: [a, cname, mx, ns, ptr, txt]
af-packet:
- interface: ens5
threads: auto
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
use-mmap: yes
mmap-locked: yes
tpacket-v3: yes
default-packet-size: 9015
threading:
set-cpu-affinity: yes
cpu-affinity:
- management-cpu-set:
cpu: ["0"] # include only these CPUs in affinity settings
- worker-cpu-set:
cpu: ["1-15"]
mode: "exclusive"
prio:
low: []
medium: ["0"]
high: ["1-15"]
default: "high"
# free -m
total used free shared buff/cache available
Mem: 41238 37606 292 1 3340 3116
Swap: 0 0 0
NIC traffic from Zabbix
MEM from zabbix
CPU load from zabbix
Files
Updated by xu hui over 4 years ago
Update
When I try to turn off writes to the dns_query and dns_answer logs, the memory utilization always stays high.
MEM from zabbix
I think this problem is because the amount of data is too large, causing Suricata to fail to write data to the hard disk in time and cache the data in memory. This is my guess, I hope you guys can help me. Thank you!
Updated by Peter Manev over 4 years ago
Couple of suggestions/questions since you mentioned it occurs every day.
What is the output of "suricata --dump-config |grep mem" ?
Would the same happen if change the default packet size from 9015 to 1600 ?
Are there any errors in (usually) /var/log/suricata.log ?
When it starts occurring again , can you please share a screenshot of "perf top -p pido_of_suricata_here" ?
Updated by xu hui over 4 years ago
Sorry my feedback is late! I only wrote dns query data to the hard disk, which solved the problem of insufficient memory. I did not retain the dns answer data. Is my data too large?
- eve-log:
enabled: yes
filetype: regular
filemode: 644
filename: dns_query-%Y-%m-%d-%H:%M.json
rotate-interval: 30m
metadata: yes
pcap-file: false
community-id: false
community-id-seed: 0
types:
- dns:
version: 2
# By default both requests and responses are logged.
requests: yes
responses: no
# Default: all
types: [a, cname, txt]
- eve-log:
enabled: no
filetype: regular
filemode: 644
filename: dns_answer-%Y-%m-%d-%H:%M.json
rotate-interval: 30m
metadata: yes
pcap-file: false
community-id: false
community-id-seed: 0
types:
- dns:
version: 2
# By default both requests and responses are logged.
requests: no
responses: yes
# Default: all
formats: [grouped] #[detailed, grouped]
# Default: all
types: [a, cname, txt]
suricata.log
$ suricata.log
[11751] 14/3/2020 -- 15:52:27 - (suricata.c:2916) <Notice> (SuricataMainLoop) -- Signal Received. Stopping engine.
[11782] 14/3/2020 -- 15:52:27 - (flow-manager.c:880) <Perf> (FlowManager) -- 0 new flows, 0 established flows were timed out, 0 flows in closed state
[11751] 14/3/2020 -- 15:52:27 - (suricata.c:1103) <Info> (SCPrintElapsedTime) -- time elapsed 475686.281s
[11786] 14/3/2020 -- 15:52:28 - (flow-manager.c:1031) <Perf> (FlowRecycler) -- 534640035 flows processed
[11752] 14/3/2020 -- 15:52:28 - (source-af-packet.c:2840) <Perf> (ReceiveAFPThreadExitStats) -- (W#01-ens5) Kernel: Packets 276737156, dropped 159
[11753] 14/3/2020 -- 15:52:28 - (source-af-packet.c:2840) <Perf> (ReceiveAFPThreadExitStats) -- (W#02-ens5) Kernel: Packets 924004809, dropped 468
[11754] 14/3/2020 -- 15:52:28 - (source-af-packet.c:2840) <Perf> (ReceiveAFPThreadExitStats) -- (W#03-ens5) Kernel: Packets 511369716, dropped 302
[11755] 14/3/2020 -- 15:52:28 - (source-af-packet.c:2840) <Perf> (ReceiveAFPThreadExitStats) -- (W#04-ens5) Kernel: Packets 798083695, dropped 426
[11756] 14/3/2020 -- 15:52:28 - (source-af-packet.c:2840) <Perf> (ReceiveAFPThreadExitStats) -- (W#05-ens5) Kernel: Packets 217902734, dropped 126
[11757] 14/3/2020 -- 15:52:28 - (source-af-packet.c:2840) <Perf> (ReceiveAFPThreadExitStats) -- (W#06-ens5) Kernel: Packets 552279667, dropped 308
[11758] 14/3/2020 -- 15:52:28 - (source-af-packet.c:2840) <Perf> (ReceiveAFPThreadExitStats) -- (W#07-ens5) Kernel: Packets 583103388, dropped 400
[11759] 14/3/2020 -- 15:52:28 - (source-af-packet.c:2840) <Perf> (ReceiveAFPThreadExitStats) -- (W#08-ens5) Kernel: Packets 713312128, dropped 490
[11760] 14/3/2020 -- 15:52:28 - (source-af-packet.c:2840) <Perf> (ReceiveAFPThreadExitStats) -- (W#09-ens5) Kernel: Packets 580252469, dropped 438
[11761] 14/3/2020 -- 15:52:28 - (source-af-packet.c:2840) <Perf> (ReceiveAFPThreadExitStats) -- (W#10-ens5) Kernel: Packets 430488751, dropped 284
[11762] 14/3/2020 -- 15:52:28 - (source-af-packet.c:2840) <Perf> (ReceiveAFPThreadExitStats) -- (W#11-ens5) Kernel: Packets 608784831, dropped 434
[11763] 14/3/2020 -- 15:52:28 - (source-af-packet.c:2840) <Perf> (ReceiveAFPThreadExitStats) -- (W#12-ens5) Kernel: Packets 838076690, dropped 672
[11764] 14/3/2020 -- 15:52:28 - (source-af-packet.c:2840) <Perf> (ReceiveAFPThreadExitStats) -- (W#13-ens5) Kernel: Packets 592008338, dropped 462
[11765] 14/3/2020 -- 15:52:28 - (source-af-packet.c:2840) <Perf> (ReceiveAFPThreadExitStats) -- (W#14-ens5) Kernel: Packets 793482886, dropped 672
[11766] 14/3/2020 -- 15:52:28 - (source-af-packet.c:2840) <Perf> (ReceiveAFPThreadExitStats) -- (W#15-ens5) Kernel: Packets 535200796, dropped 490
[11780] 14/3/2020 -- 15:52:28 - (source-af-packet.c:2840) <Perf> (ReceiveAFPThreadExitStats) -- (W#16-ens5) Kernel: Packets 565050769, dropped 576
[11751] 14/3/2020 -- 15:52:28 - (counters.c:853) <Info> (StatsLogSummary) -- Alerts: 0
[11751] 14/3/2020 -- 15:52:28 - (ippair.c:296) <Perf> (IPPairPrintStats) -- ippair memory usage: 414144 bytes, maximum: 16777216
[11751] 14/3/2020 -- 15:52:28 - (host.c:301) <Perf> (HostPrintStats) -- host memory usage: 398144 bytes, maximum: 33554432
[11751] 14/3/2020 -- 15:52:28 - (detect-engine-build.c:1716) <Info> (SigAddressCleanupStage1) -- cleaning up signature grouping structure... complete
[11751] 14/3/2020 -- 15:52:28 - (util-device.c:360) <Notice> (LiveDeviceListClean) -- Stats for 'ens5': pkts: 9520138823, drop: 6707 (0.00%), invalid chksum: 0
[11751] 14/3/2020 -- 15:52:28 - (util-mpm-hs.c:1081) <Perf> (MpmHSGlobalCleanup) -- Cleaning up Hyperscan global scratch
[11751] 14/3/2020 -- 15:52:28 - (util-mpm-hs.c:1089) <Perf> (MpmHSGlobalCleanup) -- Clearing Hyperscan database cache
[12924] 14/3/2020 -- 15:52:29 - (suricata.c:1084) <Notice> (LogVersion) -- This is Suricata version 5.0.2 RELEASE running in SYSTEM mode
[12924] 14/3/2020 -- 15:52:29 - (util-cpu.c:171) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 16
[12924] 14/3/2020 -- 15:52:29 - (util-device.c:329) <Config> (LiveBuildDeviceListCustom) -- Adding interface ens5 from config file
[12924] 14/3/2020 -- 15:52:29 - (util-luajit.c:98) <Config> (LuajitSetupStatesPool) -- luajit states preallocated: 128
[12924] 14/3/2020 -- 15:52:29 - (app-layer-htp.c:3176) <Info> (RegisterHTPParsers) -- Protocol detection and parser disabled for http protocol
[12924] 14/3/2020 -- 15:52:29 - (app-layer-ssl.c:2880) <Config> (RegisterSSLParsers) -- Protocol detection and parser disabled for tls protocol
[12924] 14/3/2020 -- 15:52:29 - (app-layer-dcerpc.c:2088) <Info> (RegisterDCERPCParsers) -- Protocol detection and parser disabled for dcerpc protocol.
[12924] 14/3/2020 -- 15:52:29 - (app-layer-dcerpc-udp.c:887) <Info> (RegisterDCERPCUDPParsers) -- Protocol detection and parser disabled for dcerpc protocol.
[12924] 14/3/2020 -- 15:52:29 - (app-layer-smb.c:292) <Config> (RegisterSMBParsers) -- Protocol detection and parser disabled for smb protocol.
[12924] 14/3/2020 -- 15:52:29 - (app-layer-ftp.c:1383) <Info> (RegisterFTPParsers) -- Parsed disabled for ftp protocol. Protocol detectionstill on.
[12924] 14/3/2020 -- 15:52:29 - (app-layer-smtp.c:1795) <Info> (RegisterSMTPParsers) -- Protocol detection and parser disabled for smtp protocol.
[12924] 14/3/2020 -- 15:52:29 - (app-layer-modbus.c:1543) <Config> (RegisterModbusParsers) -- Protocol detection and parser disabled for modbus protocol.
[12924] 14/3/2020 -- 15:52:29 - (app-layer-enip.c:442) <Config> (RegisterENIPUDPParsers) -- Protocol detection and parser disabled for enip protocol.
[12924] 14/3/2020 -- 15:52:29 - (app-layer-dnp3.c:1626) <Config> (RegisterDNP3Parsers) -- Protocol detection and parser disabled for DNP3.
[12924] 14/3/2020 -- 15:52:29 - (app-layer-parser.c:1570) <Info> (AppLayerParserRegisterProtocolParsers) -- Protocol detection and parser disabled for imap protocol.
[12924] 14/3/2020 -- 15:52:29 - (host.c:261) <Config> (HostInitConfig) -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
[12924] 14/3/2020 -- 15:52:29 - (host.c:284) <Config> (HostInitConfig) -- preallocated 1000 hosts of size 136
[12924] 14/3/2020 -- 15:52:29 - (host.c:286) <Config> (HostInitConfig) -- host memory usage: 398144 bytes, maximum: 33554432
[12924] 14/3/2020 -- 15:52:29 - (util-coredump-config.c:149) <Config> (CoredumpLoadConfig) -- Core dump size set to unlimited.
[12924] 14/3/2020 -- 15:52:29 - (defrag-hash.c:255) <Config> (DefragInitConfig) -- allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
[12924] 14/3/2020 -- 15:52:29 - (defrag-hash.c:280) <Config> (DefragInitConfig) -- preallocated 65535 defrag trackers of size 160
[12924] 14/3/2020 -- 15:52:29 - (defrag-hash.c:287) <Config> (DefragInitConfig) -- defrag memory usage: 14155616 bytes, maximum: 4294967296
[12924] 14/3/2020 -- 15:52:29 - (stream-tcp.c:399) <Config> (StreamTcpInitConfig) -- stream "prealloc-sessions": 2048 (per thread)
[12924] 14/3/2020 -- 15:52:29 - (stream-tcp.c:418) <Config> (StreamTcpInitConfig) -- stream "memcap": 4294967296
[12924] 14/3/2020 -- 15:52:29 - (stream-tcp.c:424) <Config> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
[12924] 14/3/2020 -- 15:52:29 - (stream-tcp.c:430) <Config> (StreamTcpInitConfig) -- stream "async-oneside": disabled
[12924] 14/3/2020 -- 15:52:29 - (stream-tcp.c:447) <Config> (StreamTcpInitConfig) -- stream "checksum-validation": disabled
[12924] 14/3/2020 -- 15:52:29 - (stream-tcp.c:475) <Config> (StreamTcpInitConfig) -- stream."inline": disabled
[12924] 14/3/2020 -- 15:52:29 - (stream-tcp.c:488) <Config> (StreamTcpInitConfig) -- stream "bypass": disabled
[12924] 14/3/2020 -- 15:52:29 - (stream-tcp.c:510) <Config> (StreamTcpInitConfig) -- stream "max-synack-queued": 5
[12924] 14/3/2020 -- 15:52:29 - (stream-tcp.c:532) <Config> (StreamTcpInitConfig) -- stream.reassembly "memcap": 8589934592
[12924] 14/3/2020 -- 15:52:29 - (stream-tcp.c:550) <Config> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
[12924] 14/3/2020 -- 15:52:29 - (stream-tcp.c:626) <Config> (StreamTcpInitConfig) -- stream.reassembly "toserver-chunk-size": 2532
[12924] 14/3/2020 -- 15:52:29 - (stream-tcp.c:628) <Config> (StreamTcpInitConfig) -- stream.reassembly "toclient-chunk-size": 2647
[12924] 14/3/2020 -- 15:52:29 - (stream-tcp.c:640) <Config> (StreamTcpInitConfig) -- stream.reassembly.raw: enabled
[12924] 14/3/2020 -- 15:52:29 - (stream-tcp-reassemble.c:372) <Config> (StreamTcpReassemblyConfig) -- stream.reassembly "segment-prealloc": 2048
[12924] 14/3/2020 -- 15:52:29 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: alert-%Y-%m-%d.json
[12924] 14/3/2020 -- 15:52:29 - (runmodes.c:626) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'alert'
[12924] 14/3/2020 -- 15:52:29 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: dns_query-%Y-%m-%d-%H:%M.json
[12924] 14/3/2020 -- 15:52:29 - (runmodes.c:626) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'dns'
[12924] 14/3/2020 -- 15:52:29 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: dns_answer-%Y-%m-%d-%H:%M.json
[12924] 14/3/2020 -- 15:52:29 - (runmodes.c:626) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'dns'
[12924] 14/3/2020 -- 15:52:29 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: stats-%Y-%m-%d.json
[12924] 14/3/2020 -- 15:52:29 - (runmodes.c:626) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'stats'
[12924] 14/3/2020 -- 15:52:29 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log
[12924] 14/3/2020 -- 15:52:29 - (suricata.c:2468) <Config> (SetupDelayedDetect) -- Delayed detect disabled
[12924] 14/3/2020 -- 15:52:29 - (util-conf.c:162) <Info> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket
[12924] 14/3/2020 -- 15:52:29 - (detect-engine.c:1977) <Config> (DetectEngineCtxInitReal) -- pattern matchers: MPM: hs, SPM: hs
[12924] 14/3/2020 -- 15:52:29 - (detect-engine.c:2376) <Config> (DetectEngineCtxLoadConf) -- grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
[12924] 14/3/2020 -- 15:52:29 - (detect-engine.c:2400) <Config> (DetectEngineCtxLoadConf) -- grouping: udp-whitelist (default) 53, 135, 5060
[12924] 14/3/2020 -- 15:52:29 - (detect-engine.c:2428) <Config> (DetectEngineCtxLoadConf) -- prefilter engines: MPM
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_uri
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_uri
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_request_line
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_client_body
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_response_line
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header_names
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header_names
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_accept
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_accept_enc
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_accept_lang
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_referer
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_connection
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_len
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_len
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_type
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_type
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http.server
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http.location
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_protocol
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_protocol
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_start
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_start
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_header
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_header
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_method
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_cookie
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_cookie
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_user_agent
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_host
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_host
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_stat_msg
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_stat_code
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dns_query
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dnp3_data
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dnp3_data
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.sni
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.cert_issuer
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.cert_subject
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.cert_serial
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.cert_fingerprint
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.certs
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ja3.hash
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ja3.string
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ja3s.hash
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ja3s.string
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dce_stub_data
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dce_stub_data
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dce_stub_data
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dce_stub_data
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for smb_named_pipe
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for smb_share
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.proto
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.proto
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh_software
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh_software
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for krb5_cname
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for krb5_sname
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.method
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.uri
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.protocol
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.protocol
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.method
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.stat_msg
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.request_line
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.response_line
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for snmp.community
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:246) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for snmp.community
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:413) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for tcp.hdr
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:413) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for udp.hdr
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:413) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for ipv4.hdr
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-mpm.c:413) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for ipv6.hdr
[12924] 14/3/2020 -- 15:52:29 - (reputation.c:607) <Config> (SRepInit) -- IP reputation disabled
[12924] 14/3/2020 -- 15:52:29 - (detect-engine-loader.c:347) <Info> (SigLoadSignatures) -- No signatures supplied.
[12924] 14/3/2020 -- 15:52:29 - (util-affinity.c:216) <Config> (AffinitySetupLoadFromConfig) -- Found affinity definition for "management-cpu-set"
[12924] 14/3/2020 -- 15:52:29 - (util-affinity.c:216) <Config> (AffinitySetupLoadFromConfig) -- Found affinity definition for "worker-cpu-set"
[12924] 14/3/2020 -- 15:52:29 - (util-affinity.c:265) <Config> (AffinitySetupLoadFromConfig) -- Using default prio 'high' for set 'worker-cpu-set'
[12924] 14/3/2020 -- 15:52:29 - (runmode-af-packet.c:222) <Config> (ParseAFPConfig) -- Enabling locked memory for mmap on iface ens5
[12924] 14/3/2020 -- 15:52:29 - (runmode-af-packet.c:233) <Config> (ParseAFPConfig) -- Enabling tpacket v3 capture on iface ens5
[12924] 14/3/2020 -- 15:52:29 - (runmode-af-packet.c:312) <Config> (ParseAFPConfig) -- Using flow cluster mode for AF_PACKET (iface ens5)
[12924] 14/3/2020 -- 15:52:29 - (runmode-af-packet.c:316) <Config> (ParseAFPConfig) -- Using defrag kernel functionality for AF_PACKET (iface ens5)
[12924] 14/3/2020 -- 15:52:29 - (runmode-af-packet.c:630) <Perf> (ParseAFPConfig) -- 16 cores, so using 16 threads
[12924] 14/3/2020 -- 15:52:29 - (runmode-af-packet.c:643) <Perf> (ParseAFPConfig) -- Using 16 AF_PACKET threads for interface ens5
[12924] 14/3/2020 -- 15:52:29 - (runmode-af-packet.c:700) <Config> (ParseAFPConfig) -- ens5: enabling zero copy mode by using data release call
[12924] 14/3/2020 -- 15:52:29 - (util-runmodes.c:297) <Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 16 thread(s)
[12925] 14/3/2020 -- 15:52:29 - (tm-threads.c:1095) <Perf> (TmThreadSetupOptions) -- Setting prio -2 for thread "W#01-ens5" to cpu/core 1, thread id 12925
[12926] 14/3/2020 -- 15:52:29 - (tm-threads.c:1095) <Perf> (TmThreadSetupOptions) -- Setting prio -2 for thread "W#02-ens5" to cpu/core 2, thread id 12926
[12927] 14/3/2020 -- 15:52:29 - (tm-threads.c:1095) <Perf> (TmThreadSetupOptions) -- Setting prio -2 for thread "W#03-ens5" to cpu/core 3, thread id 12927
[12928] 14/3/2020 -- 15:52:29 - (tm-threads.c:1095) <Perf> (TmThreadSetupOptions) -- Setting prio -2 for thread "W#04-ens5" to cpu/core 4, thread id 12928
[12929] 14/3/2020 -- 15:52:29 - (tm-threads.c:1095) <Perf> (TmThreadSetupOptions) -- Setting prio -2 for thread "W#05-ens5" to cpu/core 5, thread id 12929
[12930] 14/3/2020 -- 15:52:29 - (tm-threads.c:1095) <Perf> (TmThreadSetupOptions) -- Setting prio -2 for thread "W#06-ens5" to cpu/core 6, thread id 12930
[12931] 14/3/2020 -- 15:52:29 - (tm-threads.c:1095) <Perf> (TmThreadSetupOptions) -- Setting prio -2 for thread "W#07-ens5" to cpu/core 7, thread id 12931
[12932] 14/3/2020 -- 15:52:29 - (tm-threads.c:1095) <Perf> (TmThreadSetupOptions) -- Setting prio -2 for thread "W#08-ens5" to cpu/core 8, thread id 12932
[12933] 14/3/2020 -- 15:52:29 - (tm-threads.c:1095) <Perf> (TmThreadSetupOptions) -- Setting prio -2 for thread "W#09-ens5" to cpu/core 9, thread id 12933
[12934] 14/3/2020 -- 15:52:29 - (tm-threads.c:1095) <Perf> (TmThreadSetupOptions) -- Setting prio -2 for thread "W#10-ens5" to cpu/core 10, thread id 12934
[12935] 14/3/2020 -- 15:52:29 - (tm-threads.c:1095) <Perf> (TmThreadSetupOptions) -- Setting prio -2 for thread "W#11-ens5" to cpu/core 11, thread id 12935
[12936] 14/3/2020 -- 15:52:29 - (tm-threads.c:1095) <Perf> (TmThreadSetupOptions) -- Setting prio -2 for thread "W#12-ens5" to cpu/core 12, thread id 12936
[12937] 14/3/2020 -- 15:52:29 - (tm-threads.c:1095) <Perf> (TmThreadSetupOptions) -- Setting prio -2 for thread "W#13-ens5" to cpu/core 13, thread id 12937
[12938] 14/3/2020 -- 15:52:29 - (tm-threads.c:1095) <Perf> (TmThreadSetupOptions) -- Setting prio -2 for thread "W#14-ens5" to cpu/core 14, thread id 12938
[12939] 14/3/2020 -- 15:52:29 - (tm-threads.c:1095) <Perf> (TmThreadSetupOptions) -- Setting prio -2 for thread "W#15-ens5" to cpu/core 15, thread id 12939
[12942] 14/3/2020 -- 15:52:29 - (tm-threads.c:1095) <Perf> (TmThreadSetupOptions) -- Setting prio -2 for thread "W#16-ens5" to cpu/core 1, thread id 12942
[12924] 14/3/2020 -- 15:52:29 - (flow-manager.c:901) <Config> (FlowManagerThreadSpawn) -- using 1 flow manager threads
[12944] 14/3/2020 -- 15:52:29 - (tm-threads.c:1101) <Perf> (TmThreadSetupOptions) -- Setting prio 0 for thread "FM#01", thread id 12944
[12924] 14/3/2020 -- 15:52:29 - (flow-manager.c:1062) <Config> (FlowRecyclerThreadSpawn) -- using 1 flow recycler threads
[12947] 14/3/2020 -- 15:52:29 - (tm-threads.c:1101) <Perf> (TmThreadSetupOptions) -- Setting prio 0 for thread "FR#01", thread id 12947
[12948] 14/3/2020 -- 15:52:29 - (tm-threads.c:1101) <Perf> (TmThreadSetupOptions) -- Setting prio 0 for thread "CW", thread id 12948
[12954] 14/3/2020 -- 15:52:29 - (tm-threads.c:1101) <Perf> (TmThreadSetupOptions) -- Setting prio 0 for thread "CS", thread id 12954
[12924] 14/3/2020 -- 15:52:29 - (util-conf.c:162) <Info> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket
[12924] 14/3/2020 -- 15:52:29 - (unix-manager.c:132) <Info> (UnixNew) -- Using unix socket file '/var/run/suricata/suricata-command.socket'
[12956] 14/3/2020 -- 15:52:29 - (tm-threads.c:1101) <Perf> (TmThreadSetupOptions) -- Setting prio 0 for thread "US", thread id 12956
[12924] 14/3/2020 -- 15:52:29 - (tm-threads.c:2170) <Notice> (TmThreadWaitOnThreadInit) -- all 16 packet processing threads, 4 management threads initialized, engine started.
[12925] 14/3/2020 -- 15:52:29 - (source-af-packet.c:1802) <Perf> (AFPComputeRingParamsV3) -- AF_PACKET V3 RX Ring params: block_size=32768 block_nr=43 frame_size=9104 frame_nr=129 (mem: 1409024)
[12926] 14/3/2020 -- 15:52:29 - (source-af-packet.c:1802) <Perf> (AFPComputeRingParamsV3) -- AF_PACKET V3 RX Ring params: block_size=32768 block_nr=43 frame_size=9104 frame_nr=129 (mem: 1409024)
[12927] 14/3/2020 -- 15:52:29 - (source-af-packet.c:1802) <Perf> (AFPComputeRingParamsV3) -- AF_PACKET V3 RX Ring params: block_size=32768 block_nr=43 frame_size=9104 frame_nr=129 (mem: 1409024)
[12928] 14/3/2020 -- 15:52:29 - (source-af-packet.c:1802) <Perf> (AFPComputeRingParamsV3) -- AF_PACKET V3 RX Ring params: block_size=32768 block_nr=43 frame_size=9104 frame_nr=129 (mem: 1409024)
[12929] 14/3/2020 -- 15:52:30 - (source-af-packet.c:1802) <Perf> (AFPComputeRingParamsV3) -- AF_PACKET V3 RX Ring params: block_size=32768 block_nr=43 frame_size=9104 frame_nr=129 (mem: 1409024)
[12930] 14/3/2020 -- 15:52:30 - (source-af-packet.c:1802) <Perf> (AFPComputeRingParamsV3) -- AF_PACKET V3 RX Ring params: block_size=32768 block_nr=43 frame_size=9104 frame_nr=129 (mem: 1409024)
[12931] 14/3/2020 -- 15:52:30 - (source-af-packet.c:1802) <Perf> (AFPComputeRingParamsV3) -- AF_PACKET V3 RX Ring params: block_size=32768 block_nr=43 frame_size=9104 frame_nr=129 (mem: 1409024)
[12932] 14/3/2020 -- 15:52:30 - (source-af-packet.c:1802) <Perf> (AFPComputeRingParamsV3) -- AF_PACKET V3 RX Ring params: block_size=32768 block_nr=43 frame_size=9104 frame_nr=129 (mem: 1409024)
[12933] 14/3/2020 -- 15:52:30 - (source-af-packet.c:1802) <Perf> (AFPComputeRingParamsV3) -- AF_PACKET V3 RX Ring params: block_size=32768 block_nr=43 frame_size=9104 frame_nr=129 (mem: 1409024)
[12934] 14/3/2020 -- 15:52:30 - (source-af-packet.c:1802) <Perf> (AFPComputeRingParamsV3) -- AF_PACKET V3 RX Ring params: block_size=32768 block_nr=43 frame_size=9104 frame_nr=129 (mem: 1409024)
[12935] 14/3/2020 -- 15:52:30 - (source-af-packet.c:1802) <Perf> (AFPComputeRingParamsV3) -- AF_PACKET V3 RX Ring params: block_size=32768 block_nr=43 frame_size=9104 frame_nr=129 (mem: 1409024)
[12936] 14/3/2020 -- 15:52:30 - (source-af-packet.c:1802) <Perf> (AFPComputeRingParamsV3) -- AF_PACKET V3 RX Ring params: block_size=32768 block_nr=43 frame_size=9104 frame_nr=129 (mem: 1409024)
[12937] 14/3/2020 -- 15:52:30 - (source-af-packet.c:1802) <Perf> (AFPComputeRingParamsV3) -- AF_PACKET V3 RX Ring params: block_size=32768 block_nr=43 frame_size=9104 frame_nr=129 (mem: 1409024)
[12938] 14/3/2020 -- 15:52:30 - (source-af-packet.c:1802) <Perf> (AFPComputeRingParamsV3) -- AF_PACKET V3 RX Ring params: block_size=32768 block_nr=43 frame_size=9104 frame_nr=129 (mem: 1409024)
[12939] 14/3/2020 -- 15:52:30 - (source-af-packet.c:1802) <Perf> (AFPComputeRingParamsV3) -- AF_PACKET V3 RX Ring params: block_size=32768 block_nr=43 frame_size=9104 frame_nr=129 (mem: 1409024)
[12942] 14/3/2020 -- 15:52:30 - (source-af-packet.c:1802) <Perf> (AFPComputeRingParamsV3) -- AF_PACKET V3 RX Ring params: block_size=32768 block_nr=43 frame_size=9104 frame_nr=129 (mem: 1409024)
[12942] 14/3/2020 -- 15:52:30 - (source-af-packet.c:515) <Info> (AFPPeersListReachedInc) -- All AFP capture threads are running.
suricata --dump-config |grep mem
$ suricata --dump-config |grep mem
app-layer.protocols.dns.global-memcap = 512mb
app-layer.protocols.dns.state-memcap = 2048kb
defrag.memcap = 4gb
flow.memcap = 2gb
stream.memcap = 4gb
stream.reassembly.memcap = 8gb
host.memcap = 32mb
Updated by Peter Manev over 4 years ago
Thank you for the feedback.
What about :
Would the same happen if change the default packet size from 9015 to 1600 ?
When it starts occurring again , can you please share a screenshot of "perf top -p pido_of_suricata_here" ?
Updated by Andreas Herz almost 3 years ago
- Status changed from New to Closed
Hi, we're closing this issue since there have been no further responses.
If you think this issue is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs
Actions