
Adjust your default timeouts much lower so that streams are taken out of the connection pool more quickly.<br><br>This config is aggressive, but I think you'll find it does the trick.  If it doesn't work, I'd like to know:<br>


<br>flow-timeouts:<br><br>  default:<br>    new: 1 # 30<br>    established: 10 #300<br>    closed: 0<br>    emergency_new: 1 #10<br>    emergency_established: 1 #100<br>    emergency_closed: 0<br>  tcp:<br>    new: 1 #60<br>


    established: 10 #3600<br>    closed: 0 #120<br>    emergency_new: 1 #10<br>    emergency_established: 5 #1 #300<br>    emergency_closed: 20<br>  udp:<br>    new: 1 #30<br>    established: 1 #300<br>    emergency_new: 1 #10<br>


    emergency_established: 1 #100<br>  icmp:<br>    new: 1 #30<br>    established: 1 #300<br>    emergency_new: 1 #10<br>    emergency_established: 1 #100<br><br><div class="gmail_extra"><br><br><div class="gmail_quote">

On Fri, Nov 30, 2012 at 4:15 PM, Dave Remien <span dir="ltr"><<a href="mailto:dave.remien@gmail.com" target="_blank">dave.remien@gmail.com</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>Fernando,</div><div><br></div>If I'm reading your config file right, you're asking for 8.3 million sessions of 512KB each? I think that works out to 4.3TB of RAM; rather more than the 64GB memcap.<div>


<br></div>

<div>Cheers,</div><div><br></div><div>Dave<div><div class="h5"><br><br><div class="gmail_quote">On Fri, Nov 30, 2012 at 10:24 AM, Fernando Sclavo <span dir="ltr"><<a href="mailto:fsclavo@gmail.com" target="_blank">fsclavo@gmail.com</a>></span> wrote:<br>


<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>

Hash: SHA1<br>

<br>

Hello all!<br>

I'm installing an IDS on our company, monitoring two core switches with<br>

a sustained traffic of about 2gbps each. The server is a Dell R715, 32<br>

cores, 192Gb RAM with two Intel X520 nics. Suricata version is 1.4b3.<br>

The problem we are facing, is with tcp.segment_memcap_drop increasing<br>

continuosly once time tcp.reassembly_memuse reaches their max size (64gb!!)<br>

The related suricata.yaml stanza is:<br>

<br>

stream:<br>

  memcap: 24gb<br>

  checksum-validation: no      # reject wrong csums<br>

  inline: no                  # auto will use inline mode in IPS mode,<br>

yes or no set it statically<br>

  max-sessions: 8388608<br>

  prealloc-sessions: 8388608<br>

  reassembly:<br>

    memcap: 64gb<br>

    depth: 512kb                  # reassemble 1mb into a stream<br>

    toserver-chunk-size: 2560<br>

    toclient-chunk-size: 2560<br>

<br>

Thanks in advance!<br>

-----BEGIN PGP SIGNATURE-----<br>

Version: GnuPG v1.4.11 (GNU/Linux)<br>

Comment: Using GnuPG with undefined - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>

<br>

iQIcBAEBAgAGBQJQuOviAAoJEDtYYV2Ws9eJD18P/2+QZR+6BXnk/FfXQeCw43Xh<br>

qynGiI3qnrg3SSaGdiWDrm0b8UuVuq/HXaAdIo0hzeDNgRLWjBKnnz4b3UA3HyIH<br>

cKpPUsEFUyc55KPSDzDW2mCGB/V//7f/Ude5DXG7/CZ9+xJu1jhuePfuE9Nl1yIi<br>

o3xmlI1mXXXc82rs0VGKDJ0ZwoN+/zmcnp1sW5mG42CKR2Hr9PcVKzP0IHbNZlHI<br>

Q0ishhXNrKcGCpHn9/J9gg44af6+7a0EdnOZOEgRNtOILfK6C5N4p5cwZfMAkYnL<br>

AcswoaER4ftBV49WpfWjTeOhEQxYaGFM8QURB0f30ODqMDoDUKX6lwjXm6+ZfQqr<br>

Y+mGzX/WFCeFI2A4KqgNamZi1IKKd83j0AxH8nYhWa9kPtws75L5iGYAQOE5yoVw<br>

oTnEncPlSLK+Mb/fhoc0crNeMkCKDV6uCFgpE/JKUtogG25nmcbSAIoE3Esa9iYq<br>

dRww7KhOZttLRXjZeRkm/bl1CmBDXDJ2sZQ8jZtqpGeFlIMi4BYCyQAKsKWyAji4<br>

9LrDvtnew/jvWLCpNOfPrHWjRM+XbpD+k4YWO1imRWU6Or+E4Fgx9oiFNd9ni/DY<br>

l2NrSkq9RIixCVqrpNkWsEwCxN2pftJ4h0sXqTqkkhi8Ofhui60o1uNAOqMGURoN<br>

U30CUPowHUvuwnguE781<br>

=vy1s<br>

-----END PGP SIGNATURE-----<br>

_______________________________________________<br>

Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>

Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>

List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>

</blockquote></div><br><br clear="all"><div><br></div></div></div><span class="HOEnZb"><font color="#888888">-- <br><div>".... We are such stuff</div><div>As dreams are made on; and our little life</div><div><div>Is rounded with a sleep."</div>


</div><div>-- Shakespeare, The Tempest - Act 4</div>

<br>

</font></span></div>

<br>_______________________________________________<br>

Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>

Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>

List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br></blockquote></div><br></div>