Suricata memory usage very high



  • Hi,
    I'm facing a strange issue (misconfiguration ?) with Suricata.
    When I play a video hosted on my SMB server, memory usage of suricata thread increase continuously . You can check screenshot bellow.
    If I pause video, memory usage stop increase and when I press play again memory is usage is increase again. If I continue to play video Suricata use all memory and restart (with network issue). When a close video player, suricata free memory after few second.
    It feels like Suricata is buffering a copy of file to inspect it when "download"/"playing" is complete.

    32749695-3cc5-4281-85da-956219e0375a-image.png

    Technical information :
    Pfsense 2.4.5.r.20200318.0600
    Suricata 5.0.2 INLINE mode
    vtnet1 is local LAN on VLAN 10 with my SMB server
    vtnet3 is local LAN on VLAN 30 with my client
    VLAN 30 is configure as EXTERNAL_NET on Suricata vtnet1 instance.

    Any idea to fix this ?



  • You are likely hitting the SMB parser memory leak bug in Suricata 5.x. You can find out about it on the upstream Suricata Redmine bug reporting site here: https://redmine.openinfosecfoundation.org/projects/suricata. The only way to fix it until the next Suricata release will be to stop using the SMB parser.

    If this is your home network, then there is really very little reason at all to run the SMB parser. In fact, the majority of such parsers could be disabled saving both resources and potential issues from various bugs that have crept into the Suricata code with the recent upstream decision to switch over to Rust instead of the original C code. In my humble opinion, that was a very bad idea for upstream.


Log in to reply