SURICATA DNS flow memcap reached
-
Netgate SG-4860
Version 2.3.3-RELEASE-p1 (amd64)
built on Wed Mar 08 15:12:01 CST 2017
FreeBSD 10.3-RELEASE-p17Platform pfSense
CPU Type Intel(R) Atom(TM) CPU C2558 @ 2.40GHz
4 CPUs: 1 package(s) x 4 core(s)Have 100MB of Flow Memcap and still getting memcap reached….I know the default 32MB is low, but dam......Any ideas?
-
I'm seeing a lot of this now as well. Seems to all be originating from one machine running Storjshare. I tried increasing the Flow Memory Cap, but so far that hasn't accomplished anything. It's at 256MB at the moment.
edit I tried restarting Suricata on the LAN interface, and now it refuses to start even after resetting things back the way they were. :o
edit2 Needed to remove commas from the byte sizes in flow and stream memory cap. pfSense should automatically parse this or at least return an error if you attempt to provide invalid input parameters.
edit3 I'm not certain whether it was necessary to completely restart Suricata on the interface for the setting to take effect, so it's possibly that my current 512MB setting is way more than necessary, but it's stopped the error messages, so I'm going to leave it alone for now.
edit4 Nope. Up to 1GB and still receiving this error. I don't think increasing the flow memory cap is a solution.
edit5 I noticed that there's a separate Flow/State Memcap setting under LAN App Parsers -> DNS App-Layer Parser Settings. The default is only 512KB. I upped it to 1MB and reset the Flow Memory Cap setting to its default.