I have a setup with about 15 thousand detection rules which all point to the same lua script. An example of such rule is
alert tcp any any -> any any (msg:"test rule"; content: "|f9 f0 79 88|"; sid:484260; rev:1; luajit:test.lua;)
However, when I try to run Suricata, I get errors on several on these rules ( [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
), and at the end I also get a bunch of errors regarding the pool depleted.
30/9/2020 -- 15:22:16 - <Error> - [ERRCODE: SC_ERR_LUA_ERROR(212)] - luastate pool depleted
30/9/2020 -- 15:22:16 - <Error> - [ERRCODE: SC_ERR_DETECT_PREPARE(173)] - setting up thread local detect ctx for keyword "lua" failed
Note that when I run the rules without the luajit:test.lua
keyword, the rules do not raise invalid signature errors.
I’ve already set the variable luajit.states
to 15000, if I push it a bit more (~16200), suricata gets allocation error immediately, and stops.
<Error> - [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
I’ve already looked at the two issues, #1577 and #1955, and tried modifying the flow.memcap
and well as flow.prealloc
, to no result.
Running on Suricata 5.0.3 on my personal laptop with about 12GB free when running suricata.