Swap out of space PfSense with Suricata
-
Hello,
I recently configured PfSense, with 2 GB of RAM and 1 CPU. It was working fine, until I installed the NIDS Suricata, I got the following error:
Still, I'm only using 10% of the RAM. I don't understand why the SWAP fills up while the RAM doesn't...
How to solve the problem ? Is it possible to increase the Swap? -
How many rules do you have enabled? Suricata can use a lot of memory on a dynamic basis, especially when updating the rules.
Do you have any other packages installed on the firewall? Suricata may not be the culprit.
But with only 2 GB of RAM, you will need to be very cautious with how many rules you enable. It will be very easy to over do it and cause an out-of-memory condition. While it can work with only 2 GB, I recommend folks have 4 GB of available RAM when using one of the IDS/IPS packages (unless you are very stingy with the number of rules you enable).
-
Hello and thank you for your response.
Indeed, I activated all the rules (by default, snort, etc.) ... But I think I will deactivate the snort one because these create compatibility errors.
I'm going to go to 4 GB of RAM, but I didn't think it was necessary to increase this memory because I have no log that tells me the RAM is out of memory, unlike the SWAP. I don't understand why it's the SWAP that fills up.
I will come back to you once the modification has been made.
-
Suricata can use a lot of RAM, but it usually does not give it back too readily. So, I'm a bit puzzled that you say the Dashboard shows 10% of RAM in use. I would expect that to be quite a bit higher -- and even more so with evidence of swap usage.
You can increase the size of swap space, but when your box resorts to using any swap space your performance is totally in the toilet at that point.
Swap is super slow. Using swap means there is not enough active RAM to hold everything that is executing, so areas of RAM associated with currently sleeping processes is written out to disk. Then, when the current process sleeps, its data is written out to disk and the previously written data is read back in to RAM for use by the former sleeping process when it becomes active. This is a highly inefficient (and very slow) process for multitasking and your performance tanks. So you almost never want to use swap.