Hi,<br><br>what (how much) traffic do you average?<br><br><div class="gmail_quote">On Thu, Dec 6, 2012 at 11:17 AM, Christophe Vandeplas <span dir="ltr"><<a href="mailto:christophe@vandeplas.com" target="_blank">christophe@vandeplas.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
<br>
<br>
Almost all my IDSses are having<br>
tcp.segment_memcap_drop<br>
tcp.reassembly_gap<br>
<br>
And some of them have<br>
tcp.ssn_memcap_drop<br>
<br>
I have been playing around with the memory settings in suricata, but I<br>
must admit it still looks very unclear to me, any help would really be<br>
appreciated.<br>
<br>
To attack this problem I'm now concentrating my efforts on the IDS<br>
dealing with the least traffic: during the day average of 15 Mbps.<br>
The IDS has 8 virtual-cores (4-core + ht = 8 ), and 8 GB of ram. And<br>
is sniffing using -i on a bond0 interface.<br>
<br>
The stats file is here: <a href="http://pastebin.com/kSVFDHRM" target="_blank">http://pastebin.com/kSVFDHRM</a><br>
<br>
<br>
Outputs that are on: fast, unified2, http, stats, syslog.<br>
I did not change anything in the threading section.<br>
Defrag is also default:<br>
defrag:<br>
max-frags: 65535<br>
prealloc: yes<br>
timeout: 60<br>
<br>
Raised flow:<br>
flow:<br>
memcap: 2gb<br>
hash-size: 65536<br>
prealloc: 10000<br>
emergency-recovery: 30<br>
prune-flows: 5<br>
<br>
Flow-timeouts are default, and I raised stream memcaps:<br>
stream:<br>
memcap: 2gb<br>
checksum-validation: yes # reject wrong csums<br>
inline: no # no inline mode<br>
reassembly:<br>
memcap: 1gb<br>
depth: 8mb # reassemble 1mb into a stream<br>
toserver-chunk-size: 2560<br>
toclient-chunk-size: 2560<br>
<br>
<br>
Any advice to further finetune is welcome !<br>
<br>
Thanks a lot<br>
Christophe<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
</blockquote></div><br><br clear="all"><br>-- <br><div>Regards,</div>
<div>Peter Manev</div><br>