[Oisf-devel] tcp.ssn_memcap_drop

Martin Holste mcholste at gmail.com
Mon Sep 19 16:06:49 UTC 2011 

Ok, I'm giving that a shot, but so far that doesn't seem to have
improved things.  Right now, it looks like the system is missing a ton
of heartbeats, so it's definitely not detecting everything even though
all the drop counters are zero.  I'm running just 3k signatures on
about 600 Mb/sec of HTTP on 8 CPU/16 GB system.

On Mon, Sep 19, 2011 at 10:48 AM, Victor Julien <victor at inliniac.net> wrote:
> On 09/19/2011 05:43 PM, Martin Holste wrote:
>> I've got memcap at 4GB and max_sessions is 256k by default.  I'm
>
> You may want to try setting it a bit lower than the 4GB max, like 3.5GB
> or so. I think I've seen at least one occasion where it didn't behave
> properly with the max setting. Something we need to look into still.
>
> Cheers,
> Victor
>
>> having better luck now with more drastic emergency flow pruning:
>>
>> flow:
>>   #memcap: 33554432
>>   memcap: 4294967295
>>   #hash_size: 65536
>>   hash_size: 268435456
>>   prealloc: 10000
>>   emergency_recovery: 40 #30
>>   prune_flows: 500 #5
>>
>> flow-timeouts:
>>   default:
>>     new: 1 # 30
>>     established: 10 #300
>>     closed: 0
>>     emergency_new: 1 #10
>>     emergency_established: 1 #100
>>     emergency_closed: 0
>>   tcp:
>>     new: 1 #60
>>     established: 10 #3600
>>     closed: 120
>>     emergency_new: 1 #10
>>     emergency_established: 1 #300
>>     emergency_closed: 20
>>   udp:
>>     new: 1 #30
>>     established: 1 #300
>>     emergency_new: 1 #10
>>     emergency_established: 1 #100
>>   icmp:
>>     new: 1 #30
>>     established: 1 #300
>>     emergency_new: 1 #10
>>     emergency_established: 1 #100
>>
>> I'm not yet sure how this will affect detection, but prior to this,
>> most new flows were being discarded.  This policy should favor new
>> flows at the expense of old flows, which for malware detection should
>> be desired.
>>
>> On Mon, Sep 19, 2011 at 10:30 AM, Anoop Saldanha <poonaatsoc at gmail.com> wrote:
>>> stream:
>>>  memcap: 33554432              # 32mb
>>>
>>> At the same time, you might also want to set max_sessions to something
>>> bigger.  We default to 256k.  You can try a bigger no and see how that
>>> works out
>>>
>>> On Mon, Sep 19, 2011 at 8:07 PM, Martin Holste <mcholste at gmail.com> wrote:
>>>> I'm seeing a ton of tcp.ssn_memcap_drop in my stats.log.  Which memcap
>>>> do I need to tweak to decrease these drops?  I've already set them all
>>>> to 4GB.
>>>> _______________________________________________
>>>> Oisf-devel mailing list
>>>> Oisf-devel at openinfosecfoundation.org
>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>>>
>>>
>>>
>>>
>>> --
>>> Anoop Saldanha
>>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>

More information about the Oisf-devel mailing list