Suricata memory usage doesn't return to original numbers after rule reload

I was expecting for kill -USR2 $(pidof suricata) to make suricata have a temporary memory usage peak because of the duplicated detection engine, and them return back to the original levels after. What I’m experiencing instead is that Suricata goes from a stable ~1.5gb to a stable ~1.9g b after the first rule update, and them every other update keeps it at ~1.9gb. Is this permanent memory increase of ~400mb expected after the first update?

Suricata 7.0.5 self compiled and running inside a container

This is a known issue, see Bug #6963: rule-reload: potential memory leak in multiple rule reloads - Suricata - Open Information Security Foundation

1 Like