Luastate pool depleted - what's the limit?

I have a setup with about 15 thousand detection rules which all point to the same lua script. An example of such rule is
alert tcp any any -> any any (msg:"test rule"; content: "|f9 f0 79 88|"; sid:484260; rev:1; luajit:test.lua;)
However, when I try to run Suricata, I get errors on several on these rules ( [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] ), and at the end I also get a bunch of errors regarding the pool depleted.

30/9/2020 -- 15:22:16 - <Error> - [ERRCODE: SC_ERR_LUA_ERROR(212)] - luastate pool depleted
30/9/2020 -- 15:22:16 - <Error> - [ERRCODE: SC_ERR_DETECT_PREPARE(173)] - setting up thread local detect ctx for keyword "lua" failed

Note that when I run the rules without the luajit:test.lua keyword, the rules do not raise invalid signature errors.

I’ve already set the variable luajit.states to 15000, if I push it a bit more (~16200), suricata gets allocation error immediately, and stops.
<Error> - [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error

I’ve already looked at the two issues, #1577 and #1955, and tried modifying the flow.memcap and well as flow.prealloc, to no result.

Running on Suricata 5.0.3 on my personal laptop with about 12GB free when running suricata.

1 Like

I appear to be able to settle this by lowering the threading.detect-threat-ratio down below 1.
Furthermore, each time I run suricata, some signatures (not always the same, even though the configurations and rule files are unchanged) raise a SC_ERR_INVALID_SIGNATURE