Feature #5365
openLimit rust 'filetracker' memory in configuration
Description
Hey all,
We've experienced some really high memory usage by rust SMB/FileTracker in suricata 6.0.5.
In a PCAP I created in the lab of a 1GB file being transferred in SMB2, suricata increased its RAM from 120MB to 1GB.
After around 10+ minutes, the RAM was released and was back to 120MB.
I guess that if I had transferred a bigger file, than the RAM would increase more.
In general - it would be very nice go have a memory limit to the file tracker feature in the suricata.yaml
Just as other features have.
We run at production environments processing inline network traffic, and controlling how much memory is consumed by each module is crucial for the stability such systems.
How I produced the situtation:
1. Ran suricata with default configuration of 6.0.5
2. Looked at suricata memory - 120MB
3. Used tcpreplay to play the PCAP file - 3 times
4. Suricata memory grew in size, reaching 1GB
5. After a while (>10 minutes), suricata released the memory back to 120MB
I can upload the PCAP I used to (1GB) to some online storage server upon request
Thank you very much !
Maayan
Files