[Oisf-devel] tcp.ssn_memcap_drop

Victor Julien victor at inliniac.net
Mon Sep 19 15:48:46 UTC 2011 

On 09/19/2011 05:43 PM, Martin Holste wrote:
> I've got memcap at 4GB and max_sessions is 256k by default.  I'm

You may want to try setting it a bit lower than the 4GB max, like 3.5GB
or so. I think I've seen at least one occasion where it didn't behave
properly with the max setting. Something we need to look into still.

Cheers,
Victor

> having better luck now with more drastic emergency flow pruning:
> 
> flow:
>   #memcap: 33554432
>   memcap: 4294967295
>   #hash_size: 65536
>   hash_size: 268435456
>   prealloc: 10000
>   emergency_recovery: 40 #30
>   prune_flows: 500 #5
> 
> flow-timeouts:
>   default:
>     new: 1 # 30
>     established: 10 #300
>     closed: 0
>     emergency_new: 1 #10
>     emergency_established: 1 #100
>     emergency_closed: 0
>   tcp:
>     new: 1 #60
>     established: 10 #3600
>     closed: 120
>     emergency_new: 1 #10
>     emergency_established: 1 #300
>     emergency_closed: 20
>   udp:
>     new: 1 #30
>     established: 1 #300
>     emergency_new: 1 #10
>     emergency_established: 1 #100
>   icmp:
>     new: 1 #30
>     established: 1 #300
>     emergency_new: 1 #10
>     emergency_established: 1 #100
> 
> I'm not yet sure how this will affect detection, but prior to this,
> most new flows were being discarded.  This policy should favor new
> flows at the expense of old flows, which for malware detection should
> be desired.
> 
> On Mon, Sep 19, 2011 at 10:30 AM, Anoop Saldanha <poonaatsoc at gmail.com> wrote:
>> stream:
>>  memcap: 33554432              # 32mb
>>
>> At the same time, you might also want to set max_sessions to something
>> bigger.  We default to 256k.  You can try a bigger no and see how that
>> works out
>>
>> On Mon, Sep 19, 2011 at 8:07 PM, Martin Holste <mcholste at gmail.com> wrote:
>>> I'm seeing a ton of tcp.ssn_memcap_drop in my stats.log.  Which memcap
>>> do I need to tweak to decrease these drops?  I've already set them all
>>> to 4GB.
>>> _______________________________________________
>>> Oisf-devel mailing list
>>> Oisf-devel at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>>
>>
>>
>>
>> --
>> Anoop Saldanha
>>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list