Project

General

Profile

Actions

Optimization #923

open

memcap value in suricata.yaml : erroring if config value is bigger than what is available

Added by Peter Manev over 10 years ago. Updated 8 months ago.

Status:
New
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

This is Suricata version 2.0beta1 RELEASE and latest git

If we bump up the flow memcap limits :

flow:
  memcap: 33554432000000000mb
  hash-size: 65536
  prealloc: 10000
  emergency-recovery: 30

After starting Suricata we get:

- <Info> - flow memory usage: 6390016 bytes, maximum: 33554432000000000

It will be useful if a check is done to verify actually that such an amount of memory is available on the machine at all.

In the case where we make it much bigger than the code can handle (I guess) , we get :

<Error> - [ERRCODE: SC_ERR_SIZE_PARSE(198)] - Error parsing flow.memcap from conf file - 32000000000000000000mb.  Killing engine

We have an ERR - but we can not say for sure that the parsing failed because the limit was set too big (if that is the cause).
The ERR message is not that descriptive.

The above ERR msg is the same even when we use it in GB:

flow:
  memcap: 32000000000000000000GB
  hash-size: 65536
  prealloc: 10000
  emergency-recovery: 30

Actions

Also available in: Atom PDF