[Oisf-users] memcap drops etc

Peter Manev petermanev at gmail.com
Thu Dec 6 10:21:17 UTC 2012


Hi,

what (how much) traffic do you average?

On Thu, Dec 6, 2012 at 11:17 AM, Christophe Vandeplas <
christophe at vandeplas.com> wrote:

> Hello,
>
>
> Almost all my IDSses are having
> tcp.segment_memcap_drop
> tcp.reassembly_gap
>
> And some of them have
> tcp.ssn_memcap_drop
>
> I have been playing around with the memory settings in suricata, but I
> must admit it still looks very unclear to me, any help would really be
> appreciated.
>
> To attack this problem I'm now concentrating my efforts on the IDS
> dealing with the least traffic: during the day average of 15 Mbps.
> The IDS has 8 virtual-cores (4-core + ht = 8 ), and 8 GB of ram. And
> is sniffing using -i on a bond0 interface.
>
> The stats file is here: http://pastebin.com/kSVFDHRM
>
>
> Outputs that are on: fast, unified2, http, stats, syslog.
> I did not change anything in the threading section.
> Defrag is also default:
> defrag:
>   max-frags: 65535
>   prealloc: yes
>   timeout: 60
>
> Raised flow:
> flow:
>   memcap: 2gb
>   hash-size: 65536
>   prealloc: 10000
>   emergency-recovery: 30
>   prune-flows: 5
>
> Flow-timeouts are default, and I raised stream memcaps:
> stream:
>   memcap: 2gb
>   checksum-validation: yes      # reject wrong csums
>   inline: no                    # no inline mode
>   reassembly:
>     memcap: 1gb
>     depth: 8mb                  # reassemble 1mb into a stream
>     toserver-chunk-size: 2560
>     toclient-chunk-size: 2560
>
>
> Any advice to further finetune is welcome !
>
> Thanks a lot
> Christophe
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>



-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20121206/f2c30c62/attachment-0002.html>


More information about the Oisf-users mailing list