Optimization #923
openmemcap value in suricata.yaml : erroring if config value is bigger than what is available
Description
This is Suricata version 2.0beta1 RELEASE and latest git
If we bump up the flow memcap limits :
flow: memcap: 33554432000000000mb hash-size: 65536 prealloc: 10000 emergency-recovery: 30
After starting Suricata we get:
- <Info> - flow memory usage: 6390016 bytes, maximum: 33554432000000000
It will be useful if a check is done to verify actually that such an amount of memory is available on the machine at all.
In the case where we make it much bigger than the code can handle (I guess) , we get :
<Error> - [ERRCODE: SC_ERR_SIZE_PARSE(198)] - Error parsing flow.memcap from conf file - 32000000000000000000mb. Killing engine
We have an ERR - but we can not say for sure that the parsing failed because the limit was set too big (if that is the cause).
The ERR message is not that descriptive.
The above ERR msg is the same even when we use it in GB:
flow: memcap: 32000000000000000000GB hash-size: 65536 prealloc: 10000 emergency-recovery: 30
Updated by Andreas Herz over 5 years ago
We would need to calculate all memcaps and preallocs to cover that, or would you suggest to just error out if some values are set over physical memory? which might be a bit easier to implement.
In the end it's up to the user to make sure he configures a sane amount.
Updated by Peter Manev about 5 years ago
It is up to the user - this could be part of OOBE.
In a lot of cases set ups are not running well because of miss config
Maybe better docs could be the easy part of the solution.
Updated by Philippe Antoine over 1 year ago
- Tracker changed from Bug to Optimization
- Subject changed from memcap value in suricata.yaml to memcap value in suricata.yaml : erroring if config value is bigger than what is available
- Assignee changed from OISF Dev to Community Ticket