[Oisf-users] tcp.segment_memcap_drop couldn't be kept at zero, no matters how much memory we assign
Martin Holste
mcholste at gmail.com
Sat Dec 1 02:54:17 UTC 2012
Adjust your default timeouts much lower so that streams are taken out of
the connection pool more quickly.
This config is aggressive, but I think you'll find it does the trick. If
it doesn't work, I'd like to know:
flow-timeouts:
default:
new: 1 # 30
established: 10 #300
closed: 0
emergency_new: 1 #10
emergency_established: 1 #100
emergency_closed: 0
tcp:
new: 1 #60
established: 10 #3600
closed: 0 #120
emergency_new: 1 #10
emergency_established: 5 #1 #300
emergency_closed: 20
udp:
new: 1 #30
established: 1 #300
emergency_new: 1 #10
emergency_established: 1 #100
icmp:
new: 1 #30
established: 1 #300
emergency_new: 1 #10
emergency_established: 1 #100
On Fri, Nov 30, 2012 at 4:15 PM, Dave Remien <dave.remien at gmail.com> wrote:
> Fernando,
>
> If I'm reading your config file right, you're asking for 8.3 million
> sessions of 512KB each? I think that works out to 4.3TB of RAM; rather more
> than the 64GB memcap.
>
> Cheers,
>
> Dave
>
>
> On Fri, Nov 30, 2012 at 10:24 AM, Fernando Sclavo <fsclavo at gmail.com>wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hello all!
>> I'm installing an IDS on our company, monitoring two core switches with
>> a sustained traffic of about 2gbps each. The server is a Dell R715, 32
>> cores, 192Gb RAM with two Intel X520 nics. Suricata version is 1.4b3.
>> The problem we are facing, is with tcp.segment_memcap_drop increasing
>> continuosly once time tcp.reassembly_memuse reaches their max size
>> (64gb!!)
>> The related suricata.yaml stanza is:
>>
>> stream:
>> memcap: 24gb
>> checksum-validation: no # reject wrong csums
>> inline: no # auto will use inline mode in IPS mode,
>> yes or no set it statically
>> max-sessions: 8388608
>> prealloc-sessions: 8388608
>> reassembly:
>> memcap: 64gb
>> depth: 512kb # reassemble 1mb into a stream
>> toserver-chunk-size: 2560
>> toclient-chunk-size: 2560
>>
>> Thanks in advance!
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.11 (GNU/Linux)
>> Comment: Using GnuPG with undefined - http://www.enigmail.net/
>>
>> iQIcBAEBAgAGBQJQuOviAAoJEDtYYV2Ws9eJD18P/2+QZR+6BXnk/FfXQeCw43Xh
>> qynGiI3qnrg3SSaGdiWDrm0b8UuVuq/HXaAdIo0hzeDNgRLWjBKnnz4b3UA3HyIH
>> cKpPUsEFUyc55KPSDzDW2mCGB/V//7f/Ude5DXG7/CZ9+xJu1jhuePfuE9Nl1yIi
>> o3xmlI1mXXXc82rs0VGKDJ0ZwoN+/zmcnp1sW5mG42CKR2Hr9PcVKzP0IHbNZlHI
>> Q0ishhXNrKcGCpHn9/J9gg44af6+7a0EdnOZOEgRNtOILfK6C5N4p5cwZfMAkYnL
>> AcswoaER4ftBV49WpfWjTeOhEQxYaGFM8QURB0f30ODqMDoDUKX6lwjXm6+ZfQqr
>> Y+mGzX/WFCeFI2A4KqgNamZi1IKKd83j0AxH8nYhWa9kPtws75L5iGYAQOE5yoVw
>> oTnEncPlSLK+Mb/fhoc0crNeMkCKDV6uCFgpE/JKUtogG25nmcbSAIoE3Esa9iYq
>> dRww7KhOZttLRXjZeRkm/bl1CmBDXDJ2sZQ8jZtqpGeFlIMi4BYCyQAKsKWyAji4
>> 9LrDvtnew/jvWLCpNOfPrHWjRM+XbpD+k4YWO1imRWU6Or+E4Fgx9oiFNd9ni/DY
>> l2NrSkq9RIixCVqrpNkWsEwCxN2pftJ4h0sXqTqkkhi8Ofhui60o1uNAOqMGURoN
>> U30CUPowHUvuwnguE781
>> =vy1s
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>>
>
>
>
> --
> ".... We are such stuff
> As dreams are made on; and our little life
> Is rounded with a sleep."
> -- Shakespeare, The Tempest - Act 4
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20121130/ec91b166/attachment-0002.html>
More information about the Oisf-users
mailing list