[Oisf-devel] tcp.ssn_memcap_drop
Martin Holste
mcholste at gmail.com
Mon Sep 19 15:43:25 UTC 2011
I've got memcap at 4GB and max_sessions is 256k by default. I'm
having better luck now with more drastic emergency flow pruning:
flow:
#memcap: 33554432
memcap: 4294967295
#hash_size: 65536
hash_size: 268435456
prealloc: 10000
emergency_recovery: 40 #30
prune_flows: 500 #5
flow-timeouts:
default:
new: 1 # 30
established: 10 #300
closed: 0
emergency_new: 1 #10
emergency_established: 1 #100
emergency_closed: 0
tcp:
new: 1 #60
established: 10 #3600
closed: 120
emergency_new: 1 #10
emergency_established: 1 #300
emergency_closed: 20
udp:
new: 1 #30
established: 1 #300
emergency_new: 1 #10
emergency_established: 1 #100
icmp:
new: 1 #30
established: 1 #300
emergency_new: 1 #10
emergency_established: 1 #100
I'm not yet sure how this will affect detection, but prior to this,
most new flows were being discarded. This policy should favor new
flows at the expense of old flows, which for malware detection should
be desired.
On Mon, Sep 19, 2011 at 10:30 AM, Anoop Saldanha <poonaatsoc at gmail.com> wrote:
> stream:
> memcap: 33554432 # 32mb
>
> At the same time, you might also want to set max_sessions to something
> bigger. We default to 256k. You can try a bigger no and see how that
> works out
>
> On Mon, Sep 19, 2011 at 8:07 PM, Martin Holste <mcholste at gmail.com> wrote:
>> I'm seeing a ton of tcp.ssn_memcap_drop in my stats.log. Which memcap
>> do I need to tweak to decrease these drops? I've already set them all
>> to 4GB.
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
>
>
>
> --
> Anoop Saldanha
>
More information about the Oisf-devel
mailing list