[Oisf-users] memcap drops etc
Peter Manev
petermanev at gmail.com
Thu Dec 6 10:21:17 UTC 2012
Hi,
what (how much) traffic do you average?
On Thu, Dec 6, 2012 at 11:17 AM, Christophe Vandeplas <
christophe at vandeplas.com> wrote:
> Hello,
>
>
> Almost all my IDSses are having
> tcp.segment_memcap_drop
> tcp.reassembly_gap
>
> And some of them have
> tcp.ssn_memcap_drop
>
> I have been playing around with the memory settings in suricata, but I
> must admit it still looks very unclear to me, any help would really be
> appreciated.
>
> To attack this problem I'm now concentrating my efforts on the IDS
> dealing with the least traffic: during the day average of 15 Mbps.
> The IDS has 8 virtual-cores (4-core + ht = 8 ), and 8 GB of ram. And
> is sniffing using -i on a bond0 interface.
>
> The stats file is here: http://pastebin.com/kSVFDHRM
>
>
> Outputs that are on: fast, unified2, http, stats, syslog.
> I did not change anything in the threading section.
> Defrag is also default:
> defrag:
> max-frags: 65535
> prealloc: yes
> timeout: 60
>
> Raised flow:
> flow:
> memcap: 2gb
> hash-size: 65536
> prealloc: 10000
> emergency-recovery: 30
> prune-flows: 5
>
> Flow-timeouts are default, and I raised stream memcaps:
> stream:
> memcap: 2gb
> checksum-validation: yes # reject wrong csums
> inline: no # no inline mode
> reassembly:
> memcap: 1gb
> depth: 8mb # reassemble 1mb into a stream
> toserver-chunk-size: 2560
> toclient-chunk-size: 2560
>
>
> Any advice to further finetune is welcome !
>
> Thanks a lot
> Christophe
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
--
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20121206/f2c30c62/attachment-0002.html>
More information about the Oisf-users
mailing list