Bug #1738
closed
[ERRCODE: SC_ERR_MEM_ALLOC<1>] - Can not allocate fingerprint string - Suricata 2.0.11-1
Added by Marko Stojanovic over 8 years ago.
Updated over 5 years ago.
Description
Platform : Tested on Windows Server 2008R2 and 2012, both 64bit versions.
Suricata versions : Tested on Suricata 2.0.11-1
Error occurs while reading a publicly available pcap file :
http://download.netresec.com/pcap/maccdc-2012/maccdc2012_00013.pcap.gz (532MB warning)
Ran from a command line with Administrator privileges with next command parameters :
"suricata -v -c suricata.yaml -r ..\Users\Administrator\Downloads\maccdc2012_00013.pcap"
After the engine has started, and rules loaded, and after a few minutes of scanning, an error from the title starts to appear every few seconds.
As far as I notice, the scan doesn't stop, CPU total caps at 100% (one core) or about 50% (2 cores), with memory consumption of about 350-400MB for that pcap.
Files
Marko - can you please confirm the same for 3.0 ? (as we spoke on irc)
Peter Manev wrote:
Marko - can you please confirm the same for 3.0 ? (as we spoke on irc)
As far as I can see, that message does not occur on 3.0.
This message was removed in 3.0. I should be replaced by an internal event at some point.
There are 2 possible causes for this error: 1. malloc failure (process running out of memory) or 2. a nss failure.
If the problem is (2), then it may be that nss doesn't work correctly in Windows? Do you ever get working fingerprints in the logging?
Victor Julien wrote:
This message was removed in 3.0. I should be replaced by an internal event at some point.
There are 2 possible causes for this error: 1. malloc failure (process running out of memory) or 2. a nss failure.
If the problem is (2), then it may be that nss doesn't work correctly in Windows? Do you ever get working fingerprints in the logging?
TLS.log does fill up, but I don't see any fingerprints in there.
- Assignee set to Anonymous
- Target version set to TBD
- Assignee set to Community Ticket
- Status changed from New to Feedback
- Status changed from Feedback to Closed
Not anymore on 4.1.4 and 5.0 Beta. I could not reproduce it.
Also available in: Atom
PDF