Comments (3)
jasonish
commented on July 17, 2024
I just looked at rulecat with the ET/Open ruleset and it did use about 500MB. Not ideal, but it does load, parse and sort all the rules in memory. But this might not be the only thing using memory. rulecat can be configured to test the output with suricata -T. This causes suricata to load the rules in memory to check for sanity which can use even more memory. This is somewhat of a known issue, but not much can be done about it if you want to validate the rules before restarted Suricata.
from py-idstools.
ganduulgag
commented on July 17, 2024
where can I configure to test output with suricata -T? Currently, I am using rulecat with ETPro rules and when I run the rulecat, memory usage increases about 3GB which is quite a lot memory for the system. is there a way I can reduce memory usage? besides, it takes roughly 3 min to finish the rulecat. Here is my console output after running rulecat:
2022-09-07 04:05:02,669 - -- Loading ./rulecat.conf.
2022-09-07 04:05:02,682 - -- Forcing Suricata version to 6.0.
2022-09-07 04:05:02,695 - -- Fetching https://urlhaus.abuse.ch/downloads/urlhaus_suricata.tar.gz.
100% - 741376/741376
2022-09-07 04:05:02,934 - -- Done.
2022-09-07 04:05:03,126 - -- Fetching https://rules.emergingthreatspro.com/0148694801847852/suricata-6.0.0/etpro.rules.tar.gz.
100% - 8922965/8922965
2022-09-07 04:05:04,836 - -- Done.
2022-09-07 04:05:05,259 - -- Fetching https://sslbl.abuse.ch/blacklist/sslipblacklist.rules.
100% - 14294/14294
2022-09-07 04:05:05,401 - -- Done.
2022-09-07 04:05:05,403 - -- Fetching https://threatfox.abuse.ch/downloads/threatfox_suricata.tar.gz.
100% - 1073155/1073155
2022-09-07 04:05:05,908 - -- Done.
2022-09-07 04:05:06,098 - -- Ignoring file rules/deleted.rules
2022-09-07 04:05:57,472 - -- Loaded 155162 rules.
2022-09-07 04:08:32,612 - -- Disabled 1233 rules.
2022-09-07 04:08:32,612 - -- Enabled 0 rules.
2022-09-07 04:08:32,612 - -- Modified 19831 rules.
2022-09-07 04:08:32,612 - -- Dropped 0 rules.
2022-09-07 04:08:35,223 - -- Enabled 184 rules for flowbit dependencies.
2022-09-07 04:09:10,379 - -- Writing rules to /home/kali/all.rules: total: 155162; enabled: 137950; added: 13435; removed 11563; modified: 1359
2022-09-07 04:09:13,878 - -- Done
from py-idstools.
jasonish
commented on July 17, 2024
There is a command line option, --test-command that you can then provide a command to run the test. Something like --test-command "suricata -T" might work if using all the defaults.
If you are only using this tool for Suricata, you should really look at suricata-update which is bundled with Suricata these days. Its had some work to reduce memory usage over time, and runs suricata -T by default.
from py-idstools.
Related Issues (20)
- appStats u2 can't work HOT 1
- Bug: Multiple instances of rule options fields clobber eachother HOT 4
- Recent versions of Snort unified2 not supported. HOT 5
- Feature Request: ability to parse the source, destination, protocol using dictionary.
- SoolRecordReader stop working HOT 2
- eve2pcap.py fails with IPv6 addresses HOT 1
- python2-scapy as pkg dependency
- Connection with suricata-update HOT 2
- Coverting packets object to pcap file HOT 7
- Feature request: mutate metadata key value pairs
- Add .md5 extension between URL's filename and its parameters HOT 1
- Provide option for idstools-u2eve to reload sid-msg.map after updating sid-msg.map contents. HOT 1
- Unified2 Event Types mpls, vlan, and appid not included in u2eve output
- u2json event.appid output is in byte format and mangled
- Tests fail with python 3.11 HOT 1
- Rule parsing fails if last option doesn't close with semi-colon HOT 1
- New release to support python 3.13 HOT 6
- Wrong parsing of pcre and possibly others
- Invalid issue
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from py-idstools.