Suricata memory usage has been increasing, look like memory leak.
Env: REHL 7.8, Linux kernel is 3.10.0-1127, suricata version is 7.0.0-dev. use with pfring. IDS mode.
runmode: workers
with pfring.
stream.memcap: 8gb
stream.reassembly.memcap: 32gb
flow.memcap: 6gb
in stats.log:
tcp.memuse - 1.8gb
tcp.reassembly_memuse - 33.4gb
http.memuse - 1.9gb
flow.memuse - 1.9gb
The suricata process start in 12/23 2021. It has been running for 6 days now.
In 12/24, it’s memory usage is 21gb. But the memory usage has been increasing to now 47gb.
The traffic is 3gbps.
I just want to know how much memory can satisfy it.
My cpu is 40 logic core. And config suricata about 20 work thread. And the cpu usage is less than 10%.
Hope to get a reply, thank you!
Is this the most recent 7.0.0-dev? For example there was a fix regarding memory that came into 6.0.4 around a month ago.
In addition to that the Kernel is rather old.
Thanks for your reply.
According to your experience, how much memory should be used by suricata with pfring in IDS mode and the traffic at most 10gbps under normal circumstances?
And the pc is intranet environment and with a lot of other process, so is difficult to update kernel.
By the way, which suricata version is appropriate with this kernel(3.10.0)?
Yes, the suricata version is 7.0.0-dev.
Could you paste the output of suricata -V? That shows the commit hash; @Andreas_Herz mentioned a recent addition to both Suricata 7 (dev) and Suricata 6.0.4. The commit hash can tell us if the fix for that is present in the version that you’re working with.
The output of suricata -V is:
“This is Suricata version 7.0.0-dev ()”.
And now the problem is when the memory usage reaches a certain amount, the packet processing speed decreases very much, It’s 1 / 40 of the previous one.
Until now(12/30), suricata’s memory usage is 53.3gb. But the cpu usage is down to 3%.
Are you able to try Suricata 6.0.4? That release has the memory fix (which we suspect you’re seeing) in it.
Alternatively, can you build and install Suricata from source?
This version is build and install from source.
I will try 6.0.4 version.
Another question is I can’t find 7.0.0 in release list.
The lastest version I find is 6.0.4 and 5.0.8, so I don’t know which actual version of 7.0.0-dev.
Oh … if it’s from source, can you paste the output of git show HEAD?
7.0.0 isn’t officially released yet so you’ll only find the current release 6.0.4 and the last maintenance release – 5.0.8
I have downloaded the source code package for some time. And it’s not a git repo. The folder name look like 6.0.2. I’m a little confused, how can it build target 7.0.0…
I change to the version 6.0.4 RELEASE, and It has been running for five days, the memory usage is settle in about 22gb.
The problem seems to have been solved.
Thank you very much!
1 Like
Note that the fix has been in our pre-7.0 branch “master” for since mid September, 2021.
I’m glad it’s working for you now – if you need features that’ll be in the next major release, you can use a source code tree (or git repo) that’s no older than October 2021.
Got it. Thank you very much!