Project

General

Profile

Actions

Optimization #923

open

memcap value in suricata.yaml : erroring if config value is bigger than what is available

Added by Peter Manev about 11 years ago. Updated over 1 year ago.

Status:
New
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

This is Suricata version 2.0beta1 RELEASE and latest git

If we bump up the flow memcap limits :

flow:
  memcap: 33554432000000000mb
  hash-size: 65536
  prealloc: 10000
  emergency-recovery: 30

After starting Suricata we get:

- <Info> - flow memory usage: 6390016 bytes, maximum: 33554432000000000

It will be useful if a check is done to verify actually that such an amount of memory is available on the machine at all.

In the case where we make it much bigger than the code can handle (I guess) , we get :

<Error> - [ERRCODE: SC_ERR_SIZE_PARSE(198)] - Error parsing flow.memcap from conf file - 32000000000000000000mb.  Killing engine

We have an ERR - but we can not say for sure that the parsing failed because the limit was set too big (if that is the cause).
The ERR message is not that descriptive.

The above ERR msg is the same even when we use it in GB:

flow:
  memcap: 32000000000000000000GB
  hash-size: 65536
  prealloc: 10000
  emergency-recovery: 30

Actions #1

Updated by Victor Julien about 11 years ago

  • Target version set to TBD
Actions #2

Updated by Andreas Herz about 8 years ago

  • Assignee set to OISF Dev
Actions #3

Updated by Andreas Herz over 5 years ago

We would need to calculate all memcaps and preallocs to cover that, or would you suggest to just error out if some values are set over physical memory? which might be a bit easier to implement.
In the end it's up to the user to make sure he configures a sane amount.

Actions #4

Updated by Peter Manev about 5 years ago

It is up to the user - this could be part of OOBE.
In a lot of cases set ups are not running well because of miss config
Maybe better docs could be the easy part of the solution.

Actions #5

Updated by Philippe Antoine over 1 year ago

  • Tracker changed from Bug to Optimization
  • Subject changed from memcap value in suricata.yaml to memcap value in suricata.yaml : erroring if config value is bigger than what is available
  • Assignee changed from OISF Dev to Community Ticket
Actions

Also available in: Atom PDF