[Oisf-devel] how to tune suricata.yaml if I only record http access log with suricata
Delta Yeh
delta.yeh at gmail.com
Thu Sep 15 07:20:45 UTC 2011
2011/9/15 Victor Julien <victor at inliniac.net>:
> On 09/15/2011 07:20 AM, Delta Yeh wrote:
>> Thank you for you info.
>> What I try to do is to test the memory/cpu resource suricata require
>> w/o signature.
>> There is some doc on high performance, but there is no doc with empty signature.
>
> The detection engine shouldn't take much memory & cpu cycles if you're
> running w/o signatures.
>
> You should disable all alert/log modules except http-log.
>
> You can probably lower the stream.reassembly.depth value as you're only
> caring about the http header.
>
In the default suricata.yaml,
# reassembly:
# memcap: 67108864 # 64mb tcp reassembly memcap
# depth: 1048576 # 1 MB reassembly depth
Is the memcap allocated on demand?
Is the memory required by depth allocated for each tcp flow?
Any suggestion for the depth value for a website which has bbs?
> Ideally you'd be creating your own "runmode" in the code:
> pkt acq -> decode -> stream -> http-log
>
I'm interested in this! Any detail info on how to achive this?
Thanks in advance.
Intrest
> Cheers,
> Victor
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
More information about the Oisf-devel
mailing list