<div dir="ltr">So the 'related' bug is still open, and targeted to 'Soon' does this mean we should expect a rewrite or refactoring of how the grouping works in 3.0, or somewhere further down the line?</div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Nov 5, 2014 at 7:33 AM, Yasha Zislin <span dir="ltr"><<a href="mailto:coolyasha@hotmail.com" target="_blank">coolyasha@hotmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


<div><div dir="ltr">I had this issue as well. setting sgh-mpm-context to full and my 132gb of RAM would disappear without suricata fully starting.<div>I assume if setting this to full would increase performance if you have sufficient hardware.</div><div><br></div><div>My ruleset is 20k rules. :)<br><br><div>> Date: Wed, 5 Nov 2014 11:24:01 +0100<br>> From: <a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a><br>> To: <a href="mailto:lists@inliniac.net" target="_blank">lists@inliniac.net</a><br>> CC: <a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfoundation.org</a><br>> Subject: Re: [Oisf-users] Suricata, 10k rules, 10Gbit/sec and lots of RAM<div><div class="h5"><br>> <br>> On Wed, Nov 5, 2014 at 10:28 AM, Victor Julien <<a href="mailto:lists@inliniac.net" target="_blank">lists@inliniac.net</a>> wrote:<br>> > On 11/05/2014 08:11 AM, Peter Manev wrote:<br>> >>> I'm kind of concerned that rules cannot fit in the memory with<br>> >>> > sgh-mpm-context set to full and the settings presented. Should I be?<br>> >>> > :)<br>> >> There is a bug at the moment when using full with over 10k rules - it just ends up eating all the memory.<br>> ><br>> > What bug is this?<br>> ><br>> <br>> Tightly related to -<br>> <a href="https://redmine.openinfosecfoundation.org/issues/1202#change-4344" target="_blank">https://redmine.openinfosecfoundation.org/issues/1202#change-4344</a><br>> <br>> <br>> <br>> -- <br>> Regards,<br>> Peter Manev<br>> _______________________________________________<br>> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>> Training now available: <a href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a><br></div></div></div></div>                                           </div></div>
<br>_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Training now available: <a href="http://suricata-ids.org/training/" rel="noreferrer" target="_blank">http://suricata-ids.org/training/</a><br></blockquote></div><br></div>