Hi all, recently our development team has been monitoring an installation with Suricata 6.0.3 and noticed a difference in behavior between that and Suricata 5.0.4 (previous installation).
We found that with 6.0.3 that tcp reassembly memuse is reaching the tcp reassembly memcap of 12GB With 5.0.4 it would not hit this cap. Unfortunately, after hitting this cap Suricata is unable to detect and alert on traffic that should be alert (tested with traffic that triggers ~2 per second resulted in ~0).
We think that this may be related to the following tickets:
- Bug #4502: TCP reassembly memuse approaching memcap value results in TCP detection being stopped - Suricata - Open Information Security Foundation
- Bug #4650: Stream TCP raw reassembly is leaking - Suricata - Open Information Security Foundation
After trying to understand these issues, we tried a build of 6.0.3 + the backports contained in Next/20211030/v3 by victorjulien · Pull Request #6539 · OISF/suricata · GitHub. Unfortunately there was not a notable improvement for our scenario with this patchset.
Is anyone aware of a potential resolution or mitigation to this, or if it may be resolved in an upcoming release?