Project

General

Profile

Actions

Feature #5365

open

Limit rust 'filetracker' memory in configuration

Added by Maayan Fish 7 months ago. Updated 7 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Hey all,
We've experienced some really high memory usage by rust SMB/FileTracker in suricata 6.0.5.
In a PCAP I created in the lab of a 1GB file being transferred in SMB2, suricata increased its RAM from 120MB to 1GB.
After around 10+ minutes, the RAM was released and was back to 120MB.
I guess that if I had transferred a bigger file, than the RAM would increase more.

In general - it would be very nice go have a memory limit to the file tracker feature in the suricata.yaml
Just as other features have.
We run at production environments processing inline network traffic, and controlling how much memory is consumed by each module is crucial for the stability such systems.

How I produced the situtation:
1. Ran suricata with default configuration of 6.0.5
2. Looked at suricata memory - 120MB
3. Used tcpreplay to play the PCAP file - 3 times
4. Suricata memory grew in size, reaching 1GB
5. After a while (>10 minutes), suricata released the memory back to 120MB

I can upload the PCAP I used to (1GB) to some online storage server upon request

Thank you very much !
Maayan


Files

build_info.txt (4.07 KB) build_info.txt Maayan Fish, 05/17/2022 07:45 AM
highmem-before.png (116 KB) highmem-before.png Memory before tcpreplay - ~100MB Maayan Fish, 05/17/2022 07:45 AM
suricata.yaml (71.5 KB) suricata.yaml Maayan Fish, 05/17/2022 07:45 AM
highmem-after-3-times-5-min.png (114 KB) highmem-after-3-times-5-min.png Memory after tcpreplay - 1GB Maayan Fish, 05/17/2022 07:45 AM
Actions #1

Updated by Maayan Fish 7 months ago

Hey all,
edit I now saw the new smb configuration limitations and will check them
Thanks

Actions

Also available in: Atom PDF