[Oisf-devel] tcp.ssn_memcap_drop

Martin Holste mcholste at gmail.com
Mon Sep 19 15:43:25 UTC 2011


I've got memcap at 4GB and max_sessions is 256k by default.  I'm
having better luck now with more drastic emergency flow pruning:

flow:
  #memcap: 33554432
  memcap: 4294967295
  #hash_size: 65536
  hash_size: 268435456
  prealloc: 10000
  emergency_recovery: 40 #30
  prune_flows: 500 #5

flow-timeouts:
  default:
    new: 1 # 30
    established: 10 #300
    closed: 0
    emergency_new: 1 #10
    emergency_established: 1 #100
    emergency_closed: 0
  tcp:
    new: 1 #60
    established: 10 #3600
    closed: 120
    emergency_new: 1 #10
    emergency_established: 1 #300
    emergency_closed: 20
  udp:
    new: 1 #30
    established: 1 #300
    emergency_new: 1 #10
    emergency_established: 1 #100
  icmp:
    new: 1 #30
    established: 1 #300
    emergency_new: 1 #10
    emergency_established: 1 #100

I'm not yet sure how this will affect detection, but prior to this,
most new flows were being discarded.  This policy should favor new
flows at the expense of old flows, which for malware detection should
be desired.

On Mon, Sep 19, 2011 at 10:30 AM, Anoop Saldanha <poonaatsoc at gmail.com> wrote:
> stream:
>  memcap: 33554432              # 32mb
>
> At the same time, you might also want to set max_sessions to something
> bigger.  We default to 256k.  You can try a bigger no and see how that
> works out
>
> On Mon, Sep 19, 2011 at 8:07 PM, Martin Holste <mcholste at gmail.com> wrote:
>> I'm seeing a ton of tcp.ssn_memcap_drop in my stats.log.  Which memcap
>> do I need to tweak to decrease these drops?  I've already set them all
>> to 4GB.
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
>
>
>
> --
> Anoop Saldanha
>



More information about the Oisf-devel mailing list