[Oisf-users] suricata ids+ips in one process
Victor Julien
victor at inliniac.net
Thu Dec 1 07:12:36 UTC 2011
On 12/01/2011 08:08 AM, Sergey Naumov wrote:
> Hello.
>
> I would like to ask whether suricata can be started as ids + ips in one process?
> I am trying to start it with:
> suricata -c /suricata.yaml -q666 --pfring
>
> Without --pfring it works, but if I specify --pfring (and I have empty
> pfring: section in suricata.yaml delibirately), suricata exits.
>
> The reason is to save memory, because tree of signatures is huge and
> consumes a lot of memory even in case of one suricata process.
It's not possible currently. We change a few things in the global data
structures depending on IDS or IPS mode. It should not be hard to
implement, although no plans for it exist currently.
Wrt to memory usage, try setting detect-engine.profile to low.
Cheers,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list