Project

General

Profile

Actions

Bug #1738

closed

[ERRCODE: SC_ERR_MEM_ALLOC<1>] - Can not allocate fingerprint string - Suricata 2.0.11-1

Added by Marko Stojanovic over 8 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Platform : Tested on Windows Server 2008R2 and 2012, both 64bit versions.
Suricata versions : Tested on Suricata 2.0.11-1

Error occurs while reading a publicly available pcap file :

http://download.netresec.com/pcap/maccdc-2012/maccdc2012_00013.pcap.gz (532MB warning)

Ran from a command line with Administrator privileges with next command parameters :

"suricata -v -c suricata.yaml -r ..\Users\Administrator\Downloads\maccdc2012_00013.pcap"

After the engine has started, and rules loaded, and after a few minutes of scanning, an error from the title starts to appear every few seconds.
As far as I notice, the scan doesn't stop, CPU total caps at 100% (one core) or about 50% (2 cores), with memory consumption of about 350-400MB for that pcap.


Files

suricataOutput.txt (18.7 KB) suricataOutput.txt Marko Stojanovic, 03/10/2016 07:29 AM
tls.log (59.1 KB) tls.log Marko Stojanovic, 03/10/2016 08:23 AM
Actions #1

Updated by Peter Manev over 8 years ago

Marko - can you please confirm the same for 3.0 ? (as we spoke on irc)

Actions #2

Updated by Marko Stojanovic over 8 years ago

Peter Manev wrote:

Marko - can you please confirm the same for 3.0 ? (as we spoke on irc)

As far as I can see, that message does not occur on 3.0.

Actions #3

Updated by Victor Julien over 8 years ago

This message was removed in 3.0. I should be replaced by an internal event at some point.

There are 2 possible causes for this error: 1. malloc failure (process running out of memory) or 2. a nss failure.

If the problem is (2), then it may be that nss doesn't work correctly in Windows? Do you ever get working fingerprints in the logging?

Actions #4

Updated by Marko Stojanovic over 8 years ago

Victor Julien wrote:

This message was removed in 3.0. I should be replaced by an internal event at some point.

There are 2 possible causes for this error: 1. malloc failure (process running out of memory) or 2. a nss failure.

If the problem is (2), then it may be that nss doesn't work correctly in Windows? Do you ever get working fingerprints in the logging?

TLS.log does fill up, but I don't see any fingerprints in there.

Actions #5

Updated by Andreas Herz about 8 years ago

  • Assignee set to Anonymous
  • Target version set to TBD
Actions #6

Updated by Andreas Herz over 5 years ago

  • Assignee set to Community Ticket
Actions #7

Updated by Andreas Herz over 5 years ago

  • Status changed from New to Feedback

Is this still an issue?

Actions #8

Updated by Peter Manev over 5 years ago

  • Status changed from Feedback to Closed

Not anymore on 4.1.4 and 5.0 Beta. I could not reproduce it.

Actions

Also available in: Atom PDF