[Oisf-users] memcap drops etc
Anoop Saldanha
anoopsaldanha at gmail.com
Thu Dec 6 11:22:46 UTC 2012
On Thu, Dec 6, 2012 at 4:40 PM, Victor Julien <lists at inliniac.net> wrote:
> On 12/06/2012 11:17 AM, Christophe Vandeplas wrote:
>> Almost all my IDSses are having
>> tcp.segment_memcap_drop
>
> Affected only by available memory and stream.reassembly.memcap (reducing
> stream.reassembly.depth can reduce the mem use per stream, so that may
> affect it as wel)
>
>> tcp.reassembly_gap
>
> Affected by tcp.segment_memcap_drop, bad checksums and packet loss.
>
> In general it means pkts are missing or have been rejected for
> reassembly (e.g. bad csum)
>
>>
>> And some of them have
>> tcp.ssn_memcap_drop
>
> Affected by:
> stream.memcap
> stream.max-sessions
> available memory
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
Can you describe the ruleset you're using?
--
Anoop Saldanha
More information about the Oisf-users
mailing list