Large Suricata cache directory.

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: Adam Gibbons <adam.gibbons@ipfire.org>
To: Development <development@lists.ipfire.org>
Subject: Large Suricata cache directory.
Date: Fri, 12 Dec 2025 16:49:51 +0000	[thread overview]
Message-ID: <8ac70e7aa3d72cf2de5cda09a52f1cf6@ipfire.org> (raw)

Hi all,

As discussed on the forum
https://community.ipfire.org/t/re-large-backupfile/15346
it appears that Suricata’s new cache optimisation feature is creating a 
large number of files under
`/var/cache/suricata/sgh/`, which in some cases causes backup files to 
grow to 800+ MB.

@Adolf has confirmed that this directory probably should not be included 
in backups, as it is automatically regenerated, and I believe he 
mentioned he is working on a patch to exclude it from the backup.

However, in the meantime, this directory continues to grow over time. 
The upstream Suricata patches to automatically clean or maintain the 
cache have not yet been merged, although they may be soon:

https://github.com/OISF/suricata/pull/13850
https://github.com/OISF/suricata/pull/14400

To me this represents a disk-space exhaustion risk on systems with 
limited storage. Perhaps we should consider disabling Suricata’s new 
cache optimisation feature until automatic cache cleanup/maintenance is 
available upstream and included.

Thanks,
Adam

next             reply	other threads:[~2025-12-12 16:49 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-12-12 16:49 Adam Gibbons [this message]
2025-12-15 16:54 ` Michael Tremer
2025-12-15 17:09   ` Adolf Belka
2025-12-15 19:29   ` Adam Gibbons
2025-12-16 10:30     ` Michael Tremer
2025-12-16 12:45       ` Adolf Belka
2025-12-18 15:12         ` Michael Tremer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8ac70e7aa3d72cf2de5cda09a52f1cf6@ipfire.org \
    --to=adam.gibbons@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox