Project

General

Profile

Actions

Bug #923

open

memcap value in suricata.yaml

Added by Peter Manev about 9 years ago. Updated about 3 years ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

This is Suricata version 2.0beta1 RELEASE and latest git

If we bump up the flow memcap limits :

flow:
  memcap: 33554432000000000mb
  hash-size: 65536
  prealloc: 10000
  emergency-recovery: 30

After starting Suricata we get:

- <Info> - flow memory usage: 6390016 bytes, maximum: 33554432000000000

It will be useful if a check is done to verify actually that such an amount of memory is available on the machine at all.

In the case where we make it much bigger than the code can handle (I guess) , we get :

<Error> - [ERRCODE: SC_ERR_SIZE_PARSE(198)] - Error parsing flow.memcap from conf file - 32000000000000000000mb.  Killing engine

We have an ERR - but we can not say for sure that the parsing failed because the limit was set too big (if that is the cause).
The ERR message is not that descriptive.

The above ERR msg is the same even when we use it in GB:

flow:
  memcap: 32000000000000000000GB
  hash-size: 65536
  prealloc: 10000
  emergency-recovery: 30

Actions #1

Updated by Victor Julien almost 9 years ago

  • Target version set to TBD
Actions #2

Updated by Andreas Herz about 6 years ago

  • Assignee set to OISF Dev
Actions #3

Updated by Andreas Herz about 3 years ago

We would need to calculate all memcaps and preallocs to cover that, or would you suggest to just error out if some values are set over physical memory? which might be a bit easier to implement.
In the end it's up to the user to make sure he configures a sane amount.

Actions #4

Updated by Peter Manev about 3 years ago

It is up to the user - this could be part of OOBE.
In a lot of cases set ups are not running well because of miss config
Maybe better docs could be the easy part of the solution.

Actions

Also available in: Atom PDF