[Oisf-devel] how to tune suricata.yaml if I only record http access log with suricata
Victor Julien
victor at inliniac.net
Thu Sep 15 14:09:57 UTC 2011
On 09/15/2011 09:20 AM, Delta Yeh wrote:
> 2011/9/15 Victor Julien <victor at inliniac.net>:
>> On 09/15/2011 07:20 AM, Delta Yeh wrote:
>>> Thank you for you info.
>>> What I try to do is to test the memory/cpu resource suricata require
>>> w/o signature.
>>> There is some doc on high performance, but there is no doc with empty signature.
>>
>> The detection engine shouldn't take much memory & cpu cycles if you're
>> running w/o signatures.
>>
>> You should disable all alert/log modules except http-log.
>>
>> You can probably lower the stream.reassembly.depth value as you're only
>> caring about the http header.
>>
> In the default suricata.yaml,
> # reassembly:
> # memcap: 67108864 # 64mb tcp reassembly memcap
> # depth: 1048576 # 1 MB reassembly depth
>
> Is the memcap allocated on demand?
Not fully, but some is. It's hard coded currently. See
StreamTcpReassembleInit in stream-tcp-reassemble.c
> Is the memory required by depth allocated for each tcp flow?
Only if it is really needed, so on demand.
> Any suggestion for the depth value for a website which has bbs?
Though question. I think on average request are quite small, just a few
kb. But you might not want to miss the bigger onces... I think you
should analyze the traffic you are monitoring.
>
>> Ideally you'd be creating your own "runmode" in the code:
>> pkt acq -> decode -> stream -> http-log
>>
> I'm interested in this! Any detail info on how to achive this?
> Thanks in advance.
In code only currently. Check runmodes*.c
Cheers,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list