[Oisf-users] Suricata on 8 cores, ~70K packets/sec

Victor Julien victor at inliniac.net
Tue Feb 15 14:29:47 EST 2011


On 02/15/2011 11:21 AM, Chris Wakelin wrote:
> So it ran out of stream memory again. I've just quadrupled the memcaps,
> and doubled the reassembly depth. I've also just changed the tcp flow
> timeouts to 600 (emergency 120) rather than 3600 (300).

The reassembly depth sets the number of bytes into a stream reassembly
will be done. You can set it to 0 to disable a limit meaning all of the
stream will be reassembled. We default to 1 MB as most if not all
signatures seem to be more interested in the start of the stream than to
inspect what happens in megabyte 1778 of a dvd download :)

In general, I'd expect performance to be better if you set it lower
although at some point you might start missing events.

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------



More information about the Oisf-users mailing list