[Oisf-devel] tcp.ssn_memcap_drop

Martin Holste mcholste at gmail.com
Mon Sep 19 17:13:58 UTC 2011


Now I've reduced the ruleset to a single rule--my heartbeat sig, and
it's still missing almost all the time.  It appears that there's a
major bottleneck in the flow distributer somewhere if the system can't
grep for a single stream on just 600 Mb/sec.  Anyone else running
heartbeat sigs and seeing the same thing?

On Mon, Sep 19, 2011 at 11:06 AM, Martin Holste <mcholste at gmail.com> wrote:
> Ok, I'm giving that a shot, but so far that doesn't seem to have
> improved things.  Right now, it looks like the system is missing a ton
> of heartbeats, so it's definitely not detecting everything even though
> all the drop counters are zero.  I'm running just 3k signatures on
> about 600 Mb/sec of HTTP on 8 CPU/16 GB system.
>
> On Mon, Sep 19, 2011 at 10:48 AM, Victor Julien <victor at inliniac.net> wrote:
>> On 09/19/2011 05:43 PM, Martin Holste wrote:
>>> I've got memcap at 4GB and max_sessions is 256k by default.  I'm
>>
>> You may want to try setting it a bit lower than the 4GB max, like 3.5GB
>> or so. I think I've seen at least one occasion where it didn't behave
>> properly with the max setting. Something we need to look into still.
>>
>> Cheers,
>> Victor
>>
>>> having better luck now with more drastic emergency flow pruning:
>>>
>>> flow:
>>>   #memcap: 33554432
>>>   memcap: 4294967295
>>>   #hash_size: 65536
>>>   hash_size: 268435456
>>>   prealloc: 10000
>>>   emergency_recovery: 40 #30
>>>   prune_flows: 500 #5
>>>
>>> flow-timeouts:
>>>   default:
>>>     new: 1 # 30
>>>     established: 10 #300
>>>     closed: 0
>>>     emergency_new: 1 #10
>>>     emergency_established: 1 #100
>>>     emergency_closed: 0
>>>   tcp:
>>>     new: 1 #60
>>>     established: 10 #3600
>>>     closed: 120
>>>     emergency_new: 1 #10
>>>     emergency_established: 1 #300
>>>     emergency_closed: 20
>>>   udp:
>>>     new: 1 #30
>>>     established: 1 #300
>>>     emergency_new: 1 #10
>>>     emergency_established: 1 #100
>>>   icmp:
>>>     new: 1 #30
>>>     established: 1 #300
>>>     emergency_new: 1 #10
>>>     emergency_established: 1 #100
>>>
>>> I'm not yet sure how this will affect detection, but prior to this,
>>> most new flows were being discarded.  This policy should favor new
>>> flows at the expense of old flows, which for malware detection should
>>> be desired.
>>>
>>> On Mon, Sep 19, 2011 at 10:30 AM, Anoop Saldanha <poonaatsoc at gmail.com> wrote:
>>>> stream:
>>>>  memcap: 33554432              # 32mb
>>>>
>>>> At the same time, you might also want to set max_sessions to something
>>>> bigger.  We default to 256k.  You can try a bigger no and see how that
>>>> works out
>>>>
>>>> On Mon, Sep 19, 2011 at 8:07 PM, Martin Holste <mcholste at gmail.com> wrote:
>>>>> I'm seeing a ton of tcp.ssn_memcap_drop in my stats.log.  Which memcap
>>>>> do I need to tweak to decrease these drops?  I've already set them all
>>>>> to 4GB.
>>>>> _______________________________________________
>>>>> Oisf-devel mailing list
>>>>> Oisf-devel at openinfosecfoundation.org
>>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Anoop Saldanha
>>>>
>>> _______________________________________________
>>> Oisf-devel mailing list
>>> Oisf-devel at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>>
>>
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
>



More information about the Oisf-devel mailing list