<div dir="ltr">Looks like my local cache was a bit behind on this conversation!</div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Nov 5, 2014 at 8:30 AM, Brandon Lattin <span dir="ltr"><<a href="mailto:lattin@umn.edu" target="_blank">lattin@umn.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">As far as I know, there's no reason not to use 'single' if your box can keep up with the traffic.<div><br></div><div>We used 'full' and a smaller ruleset because our older boxes couldn't keep up. I'm testing newer machines over the next month, and am planning on running in 'single' mode.</div><div><br></div><div>Maybe Victor or Cooper can weigh in.</div></div><div class="gmail_extra"><div><div class="h5"><br><div class="gmail_quote">On Tue, Nov 4, 2014 at 6:08 PM, Michał Purzyński <span dir="ltr"><<a href="mailto:michalpurzynski1@gmail.com" target="_blank">michalpurzynski1@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Suricata 2.0.4, 128GB memory, around 10.5k rules from ET. The startup<br>
process is loooong, then it fails, eating all the memory. Is it<br>
expected? I've tried using ac-bs but gave up after like >20 minutes<br>
waiting for it to start.<br>
<br>
detect-engine:<br>
- profile: custom<br>
- custom-values:<br>
toclient-src-groups: 200<br>
toclient-dst-groups: 200<br>
toclient-sp-groups: 200<br>
toclient-dp-groups: 300<br>
toserver-src-groups: 200<br>
toserver-dst-groups: 400<br>
toserver-sp-groups: 200<br>
toserver-dp-groups: 200<br>
- sgh-mpm-context: full<br>
- inspection-recursion-limit: 3000<br>
<br>
mpm-algo: ac<br>
<br>
Now, if I change the sgh-mpm-context to 'auto' it can start, using<br>
around 40GB of memory. Does it mean that auto = single?<br>
<br>
I'm kind of concerned that rules cannot fit in the memory with<br>
sgh-mpm-context set to full and the settings presented. Should I be?<br>
:)<br>
<br>
What is better - use profile: high and context: full (if it fits) or<br>
profile: custom with settings presented and sgh-mpm-context: auto?<br>
<span><font color="#888888"><br>
--<br>
Michał Purzyński<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Training now available: <a href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a></font></span></blockquote></div><br><br clear="all"><div><br></div></div></div><span class="HOEnZb"><font color="#888888">-- <br><div><div dir="ltr">Brandon Lattin<div>Security Analyst<br><div>University of Minnesota - University Information Security<br>Office: <a href="tel:612-626-6672" value="+16126266672" target="_blank">612-626-6672</a></div></div></div></div>
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">Brandon Lattin<div>Security Analyst<br><div>University of Minnesota - University Information Security<br>Office: 612-626-6672</div></div></div></div>
</div>