<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>My flow timeouts are set as follows:<div><div>flow-timeouts:</div><div><br></div><div> default:</div><div> new: 3</div><div> established: 30</div><div> closed: 0</div><div> emergency-new: 10</div><div> emergency-established: 10</div><div> emergency-closed: 0</div><div> tcp:</div><div> new: 6</div><div> established: 100</div><div> closed: 0</div><div> emergency-new: 1</div><div> emergency-established: 5</div><div> emergency-closed: 2</div><div> udp:</div><div> new: 3</div><div> established: 30</div><div> emergency-new: 3</div><div> emergency-established: 10</div><div> icmp:</div><div> new: 3</div><div> established: 30</div><div> emergency-new: 1</div><div> emergency-established: 10</div><div><br></div><div>My stream reassembly depth is set to 20mb. I forget why it is so high, but I've made it to minimize packet loss.</div><div><br></div><div>I am monitoring two span ports (about 1gig each) and my 40 logical CPUs/140 gigs of RAM server is using 95% of RAM.</div><div>I thought Suricata was able to handle 10 gig feeds. Just trying to understand what I am doing wrong.</div><div><br></div><div>Thanks.</div><br><div>> Date: Wed, 18 Mar 2015 15:01:48 -0700<br>> From: cnelson@ucsd.edu<br>> To: coolyasha@hotmail.com; oisf-users@lists.openinfosecfoundation.org<br>> Subject: Re: [Oisf-users] HTTP Sessions and resource estimation<br>> <br>> -----BEGIN PGP SIGNED MESSAGE-----<br>> Hash: SHA1<br>> <br>> Probably not, you would really have to just run it and see.<br>> <br>> The issue is that you have lots of variables you control, like stream<br>> depth and flow-timeouts, as well as lots of variables you do not. Like<br>> the actual number and depths of flows. The most I can say is that<br>> shorter stream-depth and timeout settings use less memory.<br>> <br>> - -Coop<br>> <br>> On 3/18/2015 2:14 PM, Yasha Zislin wrote:<br>> ><br>> > Is there a way to estimate how much RAM (resources) I would need if<br>> > throughput and type of traffic is known?<br>> > <br>> > <br>> > I can definitely provide some config snippets of mine. Just let me know<br>> > which ones.<br>> > <br>> > Thank you.<br>> > <br>> > <br>> > _______________________________________________<br>> > Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org<br>> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/<br>> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<br>> > Training now available: http://suricata-ids.org/training/<br>> > <br>> <br>> <br>> - -- <br>> Cooper Nelson<br>> Network Security Analyst<br>> UCSD ACT Security Team<br>> cnelson@ucsd.edu x41042<br>> -----BEGIN PGP SIGNATURE-----<br>> Version: GnuPG v2.0.17 (MingW32)<br>> <br>> iQEcBAEBAgAGBQJVCfXMAAoJEKIFRYQsa8FWTJwIAKCxE30EVvyvti/Zm+giWULC<br>> QZ9Y/vH83vhZxaa9TE1b8lTZ3xMyn1JH/Oy/9XysHhEmsGs6+Qz+7bpgX9kdscJi<br>> 6EdZWRnJ9AmDMeynzh0tcpLgCOwmkWfZ5m/MnRX7fxOqToxuob0aZ5epSi8k3RZ6<br>> BvxL+ZatplFr4WeCX1rlnsTczj95FPlQEmEYp2idUl+GWtmL9RIsnwN9fzzgMe7D<br>> a4BL9vnm7tiQ+GqEIHIDXf/zcCScGFZtBq99GnuW4OcTiRO7Kj6DM+6y701vDM8E<br>> A3bjrxsZv1R2nVv+LMS/pp7h0D9e3aZY7fYonI2H4rwHZIe3UiFnBqrEUm2bIPo=<br>> =A5sD<br>> -----END PGP SIGNATURE-----<br></div></div> </div></body>
</html>