memcap value in suricata.yaml
This is Suricata version 2.0beta1 RELEASE and latest git
If we bump up the flow memcap limits :
flow: memcap: 33554432000000000mb hash-size: 65536 prealloc: 10000 emergency-recovery: 30
After starting Suricata we get:
- <Info> - flow memory usage: 6390016 bytes, maximum: 33554432000000000
It will be useful if a check is done to verify actually that such an amount of memory is available on the machine at all.
In the case where we make it much bigger than the code can handle (I guess) , we get :
<Error> - [ERRCODE: SC_ERR_SIZE_PARSE(198)] - Error parsing flow.memcap from conf file - 32000000000000000000mb. Killing engine
We have an ERR - but we can not say for sure that the parsing failed because the limit was set too big (if that is the cause).
The ERR message is not that descriptive.
The above ERR msg is the same even when we use it in GB:
flow: memcap: 32000000000000000000GB hash-size: 65536 prealloc: 10000 emergency-recovery: 30
Updated by Andreas Herz about 3 years ago
We would need to calculate all memcaps and preallocs to cover that, or would you suggest to just error out if some values are set over physical memory? which might be a bit easier to implement.
In the end it's up to the user to make sure he configures a sane amount.