Suricata quickly consumes all available RAM

opoplawski · November 11, 2020, 8:13pm

Running suricata 5.0.3 on pfSense 2.4.5-RELEASE-p1. Just recently we’ve seen one of our suricata instances (sometime LAN sometimes VPN client) quickly consume all RAM and swap until it is killed:
2020-11-11T10:53:14-08:00 firewall kernel: swap_pager_getswapspace(32): failed
2020-11-11T10:53:14-08:00 firewall kernel: swap_pager_getswapspace(32): failed
2020-11-11T10:58:22-08:00 firewall kernel: pid 88575 (suricata), jid 0, uid 0, was killed: out of swap space

Just noticed an update for 5.0.4 so am trying that.

Any ideas of what else to check for? Thanks.

opoplawski · December 2, 2020, 9:10pm

Saw it again with 5.0.4.

Andreas_Herz · December 27, 2020, 9:01pm

Can you try 6.0.1 and see if there is a difference?
But might be something specific to PFSense

Jeff_Lucovsky · December 27, 2020, 9:13pm

Could you share additional information and perhaps your Suricata configuration file (suricata.yaml) – feel free to redact/omit parts that are sensitive or you don’t want to share.

Information about the traffic and deployment could be helpful. Is Suricata seeing both sides of the communication?

Are there any elephant flows? Any other contextual information could be helpful.

Topic		Replies	Views
Suricata start eating memory Help aws	1	567	May 26, 2020
Suricata 6 --> High CPU usage while mem is good Help	20	4284	December 15, 2021
Restore from RSS memory pressure on linux AWS instances Help	3	376	September 9, 2021
Help with packets drop Help	10	53	October 5, 2024
Suricata-IDS eating memory! Help	14	2493	November 2, 2020

Suricata quickly consumes all available RAM

Related topics