Project

General

Profile

Actions

Bug #922

closed

trackers value in suricata.yaml

Added by Peter Manev about 11 years ago. Updated about 11 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

This is Suricata version 2.0beta1 RELEASE and latest git

defrag:
  memcap: 32mb
  hash-size: 65536
  trackers: 65535000000000 # number of defragmented flows to follow
  max-frags: 65535 # number of fragments to keep (higher than trackers)
  prealloc: yes
  timeout: 60

If we set the number of trackers bigger than what Suricata can handle , we receive an ERR message but Suricata's loading/start does not stop.

 01:30:42 - <Info> - Found an MTU of 1500 for 'eth0'
 01:30:42 - <Error> - [ERRCODE: SC_ERR_NUMERIC_VALUE_ERANGE(61)] - Numeric value out of range (65535000000000 > 4294967295)
 01:30:42 - <Info> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
 01:30:42 - <Info> - preallocated 1000 defrag trackers of size 144

.....

Since impact is not clear from the ERR code/msg , it is probably better if Suri stops the initialization phase.
Unless it defaults to the max possible value, but then it would be better if that is described in the ERR message

Actions

Also available in: Atom PDF