[Oisf-devel] how to tune suricata.yaml if I only record http access log with suricata

Victor Julien victor at inliniac.net
Thu Sep 15 14:09:57 UTC 2011


On 09/15/2011 09:20 AM, Delta Yeh wrote:
> 2011/9/15 Victor Julien <victor at inliniac.net>:
>> On 09/15/2011 07:20 AM, Delta Yeh wrote:
>>> Thank you for you info.
>>> What I try to do is to test the memory/cpu resource suricata require
>>> w/o signature.
>>> There is some doc on high performance, but there is no doc with empty signature.
>>
>> The detection engine shouldn't take much memory & cpu cycles if you're
>> running w/o signatures.
>>
>> You should disable all alert/log modules except http-log.
>>
>> You can probably lower the stream.reassembly.depth value as you're only
>> caring about the http header.
>>
> In the default suricata.yaml,
> #   reassembly:
> #     memcap: 67108864          # 64mb tcp reassembly memcap
> #     depth: 1048576            # 1 MB reassembly depth
> 
> Is the memcap allocated on demand?

Not fully, but some is. It's hard coded currently. See
StreamTcpReassembleInit in stream-tcp-reassemble.c

> Is the memory required by depth allocated for each tcp flow?

Only if it is really needed, so on demand.

> Any suggestion for the depth value for a website which has bbs?

Though question. I think on average request are quite small, just a few
kb. But you might not want to miss the bigger onces... I think you
should analyze the traffic you are monitoring.

> 
>> Ideally you'd be creating your own "runmode" in the code:
>> pkt acq -> decode -> stream -> http-log
>>
>    I'm interested in this!  Any detail info on how to achive this?
> Thanks in advance.

In code only currently. Check runmodes*.c

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-devel mailing list