[Oisf-users] tcp.segment_memcap_drop couldn't be kept at zero, no matters how much memory we assign

[Fernando Sclavo]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all!
I'm installing an IDS on our company, monitoring two core switches with
a sustained traffic of about 2gbps each. The server is a Dell R715, 32
cores, 192Gb RAM with two Intel X520 nics. Suricata version is 1.4b3.
The problem we are facing, is with tcp.segment_memcap_drop increasing
continuosly once time tcp.reassembly_memuse reaches their max size (64gb!!)
The related suricata.yaml stanza is:

stream:
  memcap: 24gb
  checksum-validation: no      # reject wrong csums
  inline: no                  # auto will use inline mode in IPS mode,
yes or no set it statically
  max-sessions: 8388608
  prealloc-sessions: 8388608
  reassembly:
    memcap: 64gb
    depth: 512kb                  # reassemble 1mb into a stream
    toserver-chunk-size: 2560
    toclient-chunk-size: 2560

Thanks in advance!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQuOviAAoJEDtYYV2Ws9eJD18P/2+QZR+6BXnk/FfXQeCw43Xh
qynGiI3qnrg3SSaGdiWDrm0b8UuVuq/HXaAdIo0hzeDNgRLWjBKnnz4b3UA3HyIH
cKpPUsEFUyc55KPSDzDW2mCGB/V//7f/Ude5DXG7/CZ9+xJu1jhuePfuE9Nl1yIi
o3xmlI1mXXXc82rs0VGKDJ0ZwoN+/zmcnp1sW5mG42CKR2Hr9PcVKzP0IHbNZlHI
Q0ishhXNrKcGCpHn9/J9gg44af6+7a0EdnOZOEgRNtOILfK6C5N4p5cwZfMAkYnL
AcswoaER4ftBV49WpfWjTeOhEQxYaGFM8QURB0f30ODqMDoDUKX6lwjXm6+ZfQqr
Y+mGzX/WFCeFI2A4KqgNamZi1IKKd83j0AxH8nYhWa9kPtws75L5iGYAQOE5yoVw
oTnEncPlSLK+Mb/fhoc0crNeMkCKDV6uCFgpE/JKUtogG25nmcbSAIoE3Esa9iYq
dRww7KhOZttLRXjZeRkm/bl1CmBDXDJ2sZQ8jZtqpGeFlIMi4BYCyQAKsKWyAji4
9LrDvtnew/jvWLCpNOfPrHWjRM+XbpD+k4YWO1imRWU6Or+E4Fgx9oiFNd9ni/DY
l2NrSkq9RIixCVqrpNkWsEwCxN2pftJ4h0sXqTqkkhi8Ofhui60o1uNAOqMGURoN
U30CUPowHUvuwnguE781
=vy1s
-----END PGP SIGNATURE-----