[Oisf-devel] how to tune suricata.yaml if I only record http access log with suricata
Victor Julien
victor at inliniac.net
Thu Sep 15 07:00:46 UTC 2011
On 09/15/2011 07:20 AM, Delta Yeh wrote:
> Thank you for you info.
> What I try to do is to test the memory/cpu resource suricata require
> w/o signature.
> There is some doc on high performance, but there is no doc with empty signature.
The detection engine shouldn't take much memory & cpu cycles if you're
running w/o signatures.
You should disable all alert/log modules except http-log.
You can probably lower the stream.reassembly.depth value as you're only
caring about the http header.
Ideally you'd be creating your own "runmode" in the code:
pkt acq -> decode -> stream -> http-log
Cheers,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list