I have a setup with about 15 thousand detection rules which all point to the same lua script. An example of such rule is
alert tcp any any -> any any (msg:"test rule"; content: "|f9 f0 79 88|"; sid:484260; rev:1; luajit:test.lua;)
However, when I try to run Suricata, I get errors on several on these rules (
[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] ), and at the end I also get a bunch of errors regarding the pool depleted.
30/9/2020 -- 15:22:16 - <Error> - [ERRCODE: SC_ERR_LUA_ERROR(212)] - luastate pool depleted 30/9/2020 -- 15:22:16 - <Error> - [ERRCODE: SC_ERR_DETECT_PREPARE(173)] - setting up thread local detect ctx for keyword "lua" failed
Note that when I run the rules without the
luajit:test.lua keyword, the rules do not raise invalid signature errors.
I’ve already set the variable
luajit.states to 15000, if I push it a bit more (~16200), suricata gets allocation error immediately, and stops.
<Error> - [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
Running on Suricata 5.0.3 on my personal laptop with about 12GB free when running suricata.