[Oisf-users] Suricata and tcp.reassembly_gap

Peter Manev petermanev at gmail.com
Sat Jun 30 13:18:21 UTC 2012 

Hi Peter,

try tweaking the following:

> flow:
>   *memcap: 4gb*
>   hash-size: 131072
>   *prealloc: 50000*
>   emergency-recovery: 30
>   prune-flows: 5
>

then also:

stream:
>   *memcap: 8gb*
>   *max-sessions: 1000000
>   prealloc-sessions: 500000*
>   checksum-validation: no      # reject wrong csums
>   inline: no                    # no inline mode
>   reassembly:
>     *memcap: 4gb*
>     *depth: 2mb      *            # reassemble 1mb into a stream
>     toserver-chunk-size: 2560
>     toclient-chunk-size: 2560
>

but try out different values and see which one is best for you/your traffic.



thanks



On Sat, Jun 30, 2012 at 2:58 PM, Peter Bates <peter.bates at ucl.ac.uk> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello again all
>
> On 30/06/2012 13:31, Peter Bates wrote:
> > Will increasing the AF_PACKET buffer see my reassembly_gaps
> > decrease/disappear?
>
> Okay, so I increased the AF_PACKET buffer to 1Gb and I'd forgotten
> about the checksum/NIC settings as mentioned at
>
> http://securityonion.blogspot.co.uk/2011/10/when-is-full-packet-capture-not-full.html
>
> Things are looking healthier:
>
> Date: 6/30/2012 -- 13:57:18 (uptime: 0d, 00h 12m 00s)
> tcp.reassembly_gap        | Detect                    | 11
> detect.alert              | Detect                    | 0
> capture.kernel_packets    | RxAFP1                    | 6628005
> capture.kernel_drops      | RxAFP1                    | 1186
>
> - --
> Peter Bates
> Senior Computer Security Officer    Phone: +44(0)2076792049
> Information Services Division       Internal Ext: 32049
> University College London
> London WC1E 6BT
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJP7vfmAAoJELhVoVpEMS6R8e8H/iGAjvLYIw2B7cWR+Etuf0cB
> D4Qlt2ME/au2w0RFxqjA6HSD5BRh+gSJwsQwVBOp5rYqeaJrz9qkB6QXSd4RxF73
> H4/jg9pACZFeuLanmu5nY1I7cqbbufuz22ZB2izy782mYEF3M1cIMuI2ZYSBzQWM
> iKLk44McwtDSLzQjsxia8vuB+JLeNy8i1yjdhJjJ+wKZJBMK/5TElxIzSwnDrnqO
> vrXc3aPL9mo4MjmdWob61mQob6b7cnCnK3d3oL9mEtwAe38AEKjbiZ0fTLp0e1Ud
> zF6ZKV7YghFZJS3+/DEHIyGzUw71s/9IMx+8M+L618iuhOspKagvIZ2urzvfl0o=
> =GdU9
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>



-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120630/70415bdc/attachment-0002.html>

More information about the Oisf-users mailing list