Memory increases as attack traffic keeps being played

I integrated Suricata6.0.9 into a constrained device (8GB memory, Intel Celeron CPU N2930), Suricata is running in af-packet mode in a container with 2 CPU core and 2GB memory limitation, after 60000+ signature is loaded, the basic memory reaches to 1.5GB, when some attack traffic keeps being played, the memory continuous grows, maximum 2.5GB, then remain stable.

I also tried not to load any signatures, still extra 1GB memory was consumed when being attacked

Why this happens? Is there any settings in suricata.yaml can effectively impact the memory size?

Here is the config file we are using
suricata.yaml (75.3 KB)

Thanks in advance!

The memcap settings within suricata.yaml control and limit memory use by Suricata.

Suricata’s memory needs are divided into

  • Memory needed for Suricata to run.
  • Memory needed for network traffic inspection

The second category is controlled by the memcap settings.

The first category is controlled largely by

  • Settings used during ./configure
  • Deployment settings (CPU core settings, etc)

suricata --build-info will list the packet sources and options – make sure only the required values are present.

The memuse related values in stats.log will show memory use by Suricata in your environment.

1 Like

Thanks for the feedback! I will check them then