Question about suricata ram usage



  • I noticed when restarting the suricata service that 10gb of ram is used. Overnight the ram usage drops to 2gb. I'm just wondering if this indicates a portion of the service has terminated or failed? Is this normal behaviour?

    Thanks for your insight!



  • @Preacher22:

    I noticed when restarting the suricata service that 10gb of ram is used. Overnight the ram usage drops to 2gb. I'm just wondering if this indicates a portion of the service has terminated or failed? Is this normal behaviour?

    Thanks for your insight!

    10 GB!  How many rules are you running and what rate of traffic flow is being monitored?  That's a lot of memory.  Even the 2GB number would be high for a typical home or small business system.

    Bill



  • @bmeeks:

    10 GB!  How many rules are you running and what rate of traffic flow is being monitored?

    Hello!

    Thanks very much for your interest!

    My setup probably falls more into the hobbyist network engineer category than it does in the typical home office category.
    While there isn't a whole lot of traffic going through this system, I do have Suricata running on 6 interfaces with most rules enabled. That should account for the quantity of ram being used but I'm interested in why that amount seems to fall off over time.

    Thanks again for your reply!

    : )



  • Suricata does some internal house cleaning as it runs.  I suspect it is recovering some RAM that was initially allocated and then later not needed.  During startup a lot of stuff is happening all at once in terms of loading the rule set and parsing/decoding the text into all the internal structures used for the pattern matching algorithm.

    If you have 6 active interfaces all with a decent number of enabled rules, that would account for the 2 GB number.  Also, based on 6 interfaces with a lot of enabled rules on each, I guess the 10 GB number is not that bad for startup usage.

    So long as Suricata is actually still running on each interface, you are not "losing" any protection because of the RAM usage reduction.  Just verify all the interfaces show Suricata running over on the INTERFACES tab.

    Bill



  • @bmeeks:

    Suricata does some internal house cleaning as it runs.  I suspect it is recovering some RAM that was initially allocated and then later not needed.  During startup a lot of stuff is happening all at once in terms of loading the rule set and parsing/decoding the text into all the internal structures used for the pattern matching algorithm.

    If you have 6 active interfaces all with a decent number of enabled rules, that would account for the 2 GB number.  Also, based on 6 interfaces with a lot of enabled rules on each, I guess the 10 GB number is not that bad for startup usage.

    So long as Suricata is actually still running on each interface, you are not "losing" any protection because of the RAM usage reduction.  Just verify all the interfaces show Suricata running over on the INTERFACES tab.

    Bill

    Awesome! Thanks very much for the info. That makes sense. Yes the service and each individual interface remains running.

    Thanks again!!