Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Swap out of space PfSense with Suricata

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 2 Posters 710 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      Lynow
      last edited by

      Hello,

      I recently configured PfSense, with 2 GB of RAM and 1 CPU. It was working fine, until I installed the NIDS Suricata, I got the following error:

      Capture d’écran 2022-09-18 201758.png

      Still, I'm only using 10% of the RAM. I don't understand why the SWAP fills up while the RAM doesn't...
      How to solve the problem ? Is it possible to increase the Swap?

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        How many rules do you have enabled? Suricata can use a lot of memory on a dynamic basis, especially when updating the rules.

        Do you have any other packages installed on the firewall? Suricata may not be the culprit.

        But with only 2 GB of RAM, you will need to be very cautious with how many rules you enable. It will be very easy to over do it and cause an out-of-memory condition. While it can work with only 2 GB, I recommend folks have 4 GB of available RAM when using one of the IDS/IPS packages (unless you are very stingy with the number of rules you enable).

        L 1 Reply Last reply Reply Quote 0
        • L
          Lynow @bmeeks
          last edited by

          @bmeeks

          Hello and thank you for your response.

          Indeed, I activated all the rules (by default, snort, etc.) ... But I think I will deactivate the snort one because these create compatibility errors.

          I'm going to go to 4 GB of RAM, but I didn't think it was necessary to increase this memory because I have no log that tells me the RAM is out of memory, unlike the SWAP. I don't understand why it's the SWAP that fills up.

          I will come back to you once the modification has been made.

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by bmeeks

            Suricata can use a lot of RAM, but it usually does not give it back too readily. So, I'm a bit puzzled that you say the Dashboard shows 10% of RAM in use. I would expect that to be quite a bit higher -- and even more so with evidence of swap usage.

            You can increase the size of swap space, but when your box resorts to using any swap space your performance is totally in the toilet at that point.

            Swap is super slow. Using swap means there is not enough active RAM to hold everything that is executing, so areas of RAM associated with currently sleeping processes is written out to disk. Then, when the current process sleeps, its data is written out to disk and the previously written data is read back in to RAM for use by the former sleeping process when it becomes active. This is a highly inefficient (and very slow) process for multitasking and your performance tanks. So you almost never want to use swap.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.