Suricata issues
-
Hi all, hopefully someone can help me with this.
Since the 2.1.5 update for suricata I can't initialize 2 of my IDS interfaces. I'm seeing this in the suricata logs for both interfaces
28/5/2015 – 14:37:44 - <error>-- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
28/5/2015 – 14:37:44 - <error>-- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
28/5/2015 – 14:37:44 - <info>-- RunModeIdsPcapAutoFp initialised
28/5/2015 -- 14:37:44 - <error>-- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "Detect11" closed on initialization.
28/5/2015 – 14:37:44 - <error>-- [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting…</error></error></info></error></error>I tried increasing the stream mem cap as suggested in here https://forum.pfsense.org/index.php?topic=93926.0 but the problem persists.
On a third interface, I'm having a separate and even more confounding issue. When I try to initialize the interface, it hangs here:
28/5/2015 – 14:36:58 - <info>-- 21898 signatures processed. 985 are IP-only rules, 7457 are inspecting packet payload, 16431 inspect application layer, 71 are decoder event only
28/5/2015 -- 14:36:58 - <info>-- building signature grouping structure, stage 1: preprocessing rules... complete
28/5/2015 -- 14:37:01 - <info>-- building signature grouping structure, stage 2: building source address list... complete</info></info></info>It doesn't get past that. It hangs and slowly takes all my free memory (16gb of RAM and 32gb of SWAP) until it exhausts all memory and stops.
Anyone have any ideas? I'm stumped.
-
Figured out my first issue.
I underestimated how many threads I had, so I didn't have my stream memory cap increased enough.
This formula works for figuring out how much memory cap you need
Also, how can I calculate the highest value that I can use?
TcpSession structure is 192 bytes, PoolBucket 24. So it should be:
(192 + 24) * prealloc_sessions * number of threads = memory use in bytes
For me, I had 25 threads which worked out to 168.75 MB cap I needed.
The second issue is still plaguing me though. Whenever I try to initialize suricata on that particular interface, it just hangs on what appears to be building signature grouping structure, stage 3 and saps all my RAM/SWAP.
-
Figured out my second issue.
Signature Group Header MPM Context was set to Full for just the 1 interface, which is why it was the only one having the problem. Changed it to Auto and now all is well.