Project

General

Profile

Bug #3488

Updated by Victor Julien almost 5 years ago

We were seeing a bad memory leak in Suricata 5.0.0, and upgraded to 5.0.2. The situation is significantly better, but there's still a memory leak as compared with 4.1.3. 

 I'm attaching screenshots of memory usage over 1 week from two systems looking at very similar traffic. For the system running Suricata v5, you can see when we upgraded from 5.0.0 to 5.0.2 on 2/13. However, the memory use is slowly creeping up. 

 suricata --build-info from both systems follow: 


 <pre> 
 This is Suricata version 5.0.2 RELEASE 
 Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS MAGIC RUST 
 SIMD support: SSE_3 
 Atomic intrinsics: 1 2 4 8 16 byte(s) 
 64-bits, Little-endian architecture 
 GCC version 4.8.5 20150623 (Red Hat 4.8.5-39), C version 199901 
 compiled with _FORTIFY_SOURCE=0 
 L1 cache line size (CLS)=64 
 thread local storage method: __thread 
 compiled with LibHTP v0.5.32, linked against LibHTP v0.5.32 

 Suricata Configuration: 
   AF_PACKET support:                         yes 
   eBPF support:                              no 
   XDP support:                               no 
   PF_RING support:                           no 
   NFQueue support:                           no 
   NFLOG support:                             no 
   IPFW support:                              no 
   Netmap support:                            no 
   DAG enabled:                               no 
   Napatech enabled:                          no 
   WinDivert enabled:                         no 

   Unix socket enabled:                       yes 
   Detection enabled:                         yes 

   Libmagic support:                          yes 
   libnss support:                            yes 
   libnspr support:                           yes 
   libjansson support:                        yes 
   hiredis support:                           yes 
   hiredis async with libevent:               no 
   Prelude support:                           no 
   PCRE jit:                                  yes 
   LUA support:                               yes, through luajit 
   libluajit:                                 yes 
   GeoIP2 support:                            yes 
   Non-bundled htp:                           no 
   Old barnyard2 support:                     no 
   Hyperscan support:                         no 
   Libnet support:                            yes 
   liblz4 support:                            yes 

   Rust support:                              yes 
   Rust strict mode:                          no 
   Rust compiler path:                        /usr/bin/rustc 
   Rust compiler version:                     rustc 1.38.0 
   Cargo path:                                /usr/bin/cargo 
   Cargo version:                             cargo 1.38.0 
   Cargo vendor:                              yes 

   Python support:                            yes 
   Python path:                               /usr/bin/python2.7 
   Python distutils                           yes 
   Python yaml                                yes 
   Install suricatactl:                       yes 
   Install suricatasc:                        yes 
   Install suricata-update:                   yes 

   Profiling enabled:                         no 
   Profiling locks enabled:                   no 

 Development settings: 
   Coccinelle / spatch:                       no 
   Unit tests enabled:                        no 
   Debug output enabled:                      no 
   Debug validation enabled:                  no 

 Generic build parameters: 
   Installation prefix:                       /usr/local 
   Configuration directory:                   /usr/local/etc/suricata/ 
   Log directory:                             /usr/local/var/log/suricata/ 

   --prefix                                   /usr/local 
   --sysconfdir                               /usr/local/etc 
   --localstatedir                            /usr/local/var 
   --datarootdir                              /usr/local/share 

   Host:                                      x86_64-pc-linux-gnu 
   Compiler:                                  gcc (exec name) / gcc (real) 
   GCC Protect enabled:                       no 
   GCC march native enabled:                  yes 
   GCC Profile enabled:                       no 
   Position Independent Executable enabled: no 
   CFLAGS                                     -g -O2 -march=native -I${srcdir}/../rust/gen/c-headers 
   PCAP_CFLAGS 
   SECCFLAGS 
 </pre> 
 

 -------------------------------------- 

 <pre> 
 This is Suricata version 4.1.3 RELEASE 
 Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS MAGIC RUST 
 SIMD support: SSE_4_2 SSE_4_1 SSE_3 
 Atomic intrisics: 1 2 4 8 16 byte(s) 
 64-bits, Little-endian architecture 
 GCC version 4.8.5 20150623 (Red Hat 4.8.5-36), C version 199901 
 compiled with _FORTIFY_SOURCE=0 
 L1 cache line size (CLS)=64 
 thread local storage method: __thread 
 compiled with LibHTP v0.5.30, linked against LibHTP v0.5.30 

 Suricata Configuration: 
   AF_PACKET support:                         yes 
   eBPF support:                              no 
   XDP support:                               no 
   PF_RING support:                           no 
   NFQueue support:                           no 
   NFLOG support:                             no 
   IPFW support:                              no 
   Netmap support:                            no 
   DAG enabled:                               no 
   Napatech enabled:                          no 
   WinDivert enabled:                         no 

   Unix socket enabled:                       yes 
   Detection enabled:                         yes 

   Libmagic support:                          yes 
   libnss support:                            yes 
   libnspr support:                           yes 
   libjansson support:                        yes 
   liblzma support:                           yes 
   hiredis support:                           yes 
   hiredis async with libevent:               no 
   Prelude support:                           no 
   PCRE jit:                                  yes 
   LUA support:                               yes, through luajit 
   libluajit:                                 yes 
   libgeoip:                                  yes 
   Non-bundled htp:                           no 
   Old barnyard2 support:                     no 
   Hyperscan support:                         no 
   Libnet support:                            yes 
   liblz4 support:                            yes 

   Rust support:                              yes (default) 
   Rust strict mode:                          no 
   Rust debug mode:                           no 
   Rust compiler:                             rustc 1.36.0 
   Rust cargo:                                cargo 1.36.0 

   Install suricatasc:                        yes 
   Install suricata-update:                   yes 

   Profiling enabled:                         no 
   Profiling locks enabled:                   no 

 Development settings: 
   Coccinelle / spatch:                       no 
   Unit tests enabled:                        no 
   Debug output enabled:                      no 
   Debug validation enabled:                  no 

 Generic build parameters: 
   Installation prefix:                       /usr/local/security/suricata/builds/suricata_4.1.3 
   Configuration directory:                   /usr/local/security/suricata/builds/suricata_4.1.3/etc/suricata/ 
   Log directory:                             /usr/local/security/suricata/builds/suricata_4.1.3/var/log/suricata/ 

   --prefix                                   /usr/local/security/suricata/builds/suricata_4.1.3 
   --sysconfdir                               /usr/local/security/suricata/builds/suricata_4.1.3/etc 
   --localstatedir                            /usr/local/security/suricata/builds/suricata_4.1.3/var 
   --datarootdir                              /usr/local/security/suricata/builds/suricata_4.1.3/share 

   Host:                                      x86_64-pc-linux-gnu 
   Compiler:                                  gcc (exec name) / gcc (real) 
   GCC Protect enabled:                       no 
   GCC march native enabled:                  yes 
   GCC Profile enabled:                       no 
   Position Independent Executable enabled: no 
   CFLAGS                                     -g -O2 -march=native -I${srcdir}/../rust/gen/c-headers 
   PCAP_CFLAGS 
   SECCFLAGS 
 </pre>

Back