[Oisf-users] tcp.segment_memcap_drop couldn't be kept at zero, no matters how much memory we assign

Dave Remien dave.remien at gmail.com
Fri Nov 30 22:15:05 UTC 2012 

Fernando,

If I'm reading your config file right, you're asking for 8.3 million
sessions of 512KB each? I think that works out to 4.3TB of RAM; rather more
than the 64GB memcap.

Cheers,

Dave

On Fri, Nov 30, 2012 at 10:24 AM, Fernando Sclavo <fsclavo at gmail.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello all!
> I'm installing an IDS on our company, monitoring two core switches with
> a sustained traffic of about 2gbps each. The server is a Dell R715, 32
> cores, 192Gb RAM with two Intel X520 nics. Suricata version is 1.4b3.
> The problem we are facing, is with tcp.segment_memcap_drop increasing
> continuosly once time tcp.reassembly_memuse reaches their max size (64gb!!)
> The related suricata.yaml stanza is:
>
> stream:
>   memcap: 24gb
>   checksum-validation: no      # reject wrong csums
>   inline: no                  # auto will use inline mode in IPS mode,
> yes or no set it statically
>   max-sessions: 8388608
>   prealloc-sessions: 8388608
>   reassembly:
>     memcap: 64gb
>     depth: 512kb                  # reassemble 1mb into a stream
>     toserver-chunk-size: 2560
>     toclient-chunk-size: 2560
>
> Thanks in advance!
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with undefined - http://www.enigmail.net/
>
> iQIcBAEBAgAGBQJQuOviAAoJEDtYYV2Ws9eJD18P/2+QZR+6BXnk/FfXQeCw43Xh
> qynGiI3qnrg3SSaGdiWDrm0b8UuVuq/HXaAdIo0hzeDNgRLWjBKnnz4b3UA3HyIH
> cKpPUsEFUyc55KPSDzDW2mCGB/V//7f/Ude5DXG7/CZ9+xJu1jhuePfuE9Nl1yIi
> o3xmlI1mXXXc82rs0VGKDJ0ZwoN+/zmcnp1sW5mG42CKR2Hr9PcVKzP0IHbNZlHI
> Q0ishhXNrKcGCpHn9/J9gg44af6+7a0EdnOZOEgRNtOILfK6C5N4p5cwZfMAkYnL
> AcswoaER4ftBV49WpfWjTeOhEQxYaGFM8QURB0f30ODqMDoDUKX6lwjXm6+ZfQqr
> Y+mGzX/WFCeFI2A4KqgNamZi1IKKd83j0AxH8nYhWa9kPtws75L5iGYAQOE5yoVw
> oTnEncPlSLK+Mb/fhoc0crNeMkCKDV6uCFgpE/JKUtogG25nmcbSAIoE3Esa9iYq
> dRww7KhOZttLRXjZeRkm/bl1CmBDXDJ2sZQ8jZtqpGeFlIMi4BYCyQAKsKWyAji4
> 9LrDvtnew/jvWLCpNOfPrHWjRM+XbpD+k4YWO1imRWU6Or+E4Fgx9oiFNd9ni/DY
> l2NrSkq9RIixCVqrpNkWsEwCxN2pftJ4h0sXqTqkkhi8Ofhui60o1uNAOqMGURoN
> U30CUPowHUvuwnguE781
> =vy1s
> -----END PGP SIGNATURE-----
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>



-- 
".... We are such stuff
As dreams are made on; and our little life
Is rounded with a sleep."
-- Shakespeare, The Tempest - Act 4
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20121130/6403f42b/attachment-0002.html>

More information about the Oisf-users mailing list