Adjust your default timeouts much lower so that streams are taken out of the connection pool more quickly.<br><br>This config is aggressive, but I think you'll find it does the trick. If it doesn't work, I'd like to know:<br>
<br>flow-timeouts:<br><br> default:<br> new: 1 # 30<br> established: 10 #300<br> closed: 0<br> emergency_new: 1 #10<br> emergency_established: 1 #100<br> emergency_closed: 0<br> tcp:<br> new: 1 #60<br>
established: 10 #3600<br> closed: 0 #120<br> emergency_new: 1 #10<br> emergency_established: 5 #1 #300<br> emergency_closed: 20<br> udp:<br> new: 1 #30<br> established: 1 #300<br> emergency_new: 1 #10<br>
emergency_established: 1 #100<br> icmp:<br> new: 1 #30<br> established: 1 #300<br> emergency_new: 1 #10<br> emergency_established: 1 #100<br><br><div class="gmail_extra"><br><br><div class="gmail_quote">
On Fri, Nov 30, 2012 at 4:15 PM, Dave Remien <span dir="ltr"><<a href="mailto:dave.remien@gmail.com" target="_blank">dave.remien@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>Fernando,</div><div><br></div>If I'm reading your config file right, you're asking for 8.3 million sessions of 512KB each? I think that works out to 4.3TB of RAM; rather more than the 64GB memcap.<div>
<br></div>
<div>Cheers,</div><div><br></div><div>Dave<div><div class="h5"><br><br><div class="gmail_quote">On Fri, Nov 30, 2012 at 10:24 AM, Fernando Sclavo <span dir="ltr"><<a href="mailto:fsclavo@gmail.com" target="_blank">fsclavo@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
Hello all!<br>
I'm installing an IDS on our company, monitoring two core switches with<br>
a sustained traffic of about 2gbps each. The server is a Dell R715, 32<br>
cores, 192Gb RAM with two Intel X520 nics. Suricata version is 1.4b3.<br>
The problem we are facing, is with tcp.segment_memcap_drop increasing<br>
continuosly once time tcp.reassembly_memuse reaches their max size (64gb!!)<br>
The related suricata.yaml stanza is:<br>
<br>
stream:<br>
memcap: 24gb<br>
checksum-validation: no # reject wrong csums<br>
inline: no # auto will use inline mode in IPS mode,<br>
yes or no set it statically<br>
max-sessions: 8388608<br>
prealloc-sessions: 8388608<br>
reassembly:<br>
memcap: 64gb<br>
depth: 512kb # reassemble 1mb into a stream<br>
toserver-chunk-size: 2560<br>
toclient-chunk-size: 2560<br>
<br>
Thanks in advance!<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.11 (GNU/Linux)<br>
Comment: Using GnuPG with undefined - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>
<br>
iQIcBAEBAgAGBQJQuOviAAoJEDtYYV2Ws9eJD18P/2+QZR+6BXnk/FfXQeCw43Xh<br>
qynGiI3qnrg3SSaGdiWDrm0b8UuVuq/HXaAdIo0hzeDNgRLWjBKnnz4b3UA3HyIH<br>
cKpPUsEFUyc55KPSDzDW2mCGB/V//7f/Ude5DXG7/CZ9+xJu1jhuePfuE9Nl1yIi<br>
o3xmlI1mXXXc82rs0VGKDJ0ZwoN+/zmcnp1sW5mG42CKR2Hr9PcVKzP0IHbNZlHI<br>
Q0ishhXNrKcGCpHn9/J9gg44af6+7a0EdnOZOEgRNtOILfK6C5N4p5cwZfMAkYnL<br>
AcswoaER4ftBV49WpfWjTeOhEQxYaGFM8QURB0f30ODqMDoDUKX6lwjXm6+ZfQqr<br>
Y+mGzX/WFCeFI2A4KqgNamZi1IKKd83j0AxH8nYhWa9kPtws75L5iGYAQOE5yoVw<br>
oTnEncPlSLK+Mb/fhoc0crNeMkCKDV6uCFgpE/JKUtogG25nmcbSAIoE3Esa9iYq<br>
dRww7KhOZttLRXjZeRkm/bl1CmBDXDJ2sZQ8jZtqpGeFlIMi4BYCyQAKsKWyAji4<br>
9LrDvtnew/jvWLCpNOfPrHWjRM+XbpD+k4YWO1imRWU6Or+E4Fgx9oiFNd9ni/DY<br>
l2NrSkq9RIixCVqrpNkWsEwCxN2pftJ4h0sXqTqkkhi8Ofhui60o1uNAOqMGURoN<br>
U30CUPowHUvuwnguE781<br>
=vy1s<br>
-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
</blockquote></div><br><br clear="all"><div><br></div></div></div><span class="HOEnZb"><font color="#888888">-- <br><div>".... We are such stuff</div><div>As dreams are made on; and our little life</div><div><div>Is rounded with a sleep."</div>
</div><div>-- Shakespeare, The Tempest - Act 4</div>
<br>
</font></span></div>
<br>_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br></blockquote></div><br></div>