[Oisf-users] tcp.segment_memcap_drop
Peter Manev
petermanev at gmail.com
Thu Jun 5 18:08:32 UTC 2014
On Thu, Jun 5, 2014 at 8:04 PM, Adnan Baykal <abaykal at gmail.com> wrote:
> What I found just now is that if I disable the midstream and asyn settings,
> drops go to 0. Yet, still no HTTP logging.
>
>
Please do not forget to click "reply all" when you are answering that
way the user list will see your replies as well.
Which Suricata ver are you using?
What do you mean 0 http logging - is that in eve.json or in http.log?
Are all enabled in suricata.yaml?
> On Thu, Jun 5, 2014 at 2:03 PM, Peter Manev <petermanev at gmail.com> wrote:
>>
>> On Thu, Jun 5, 2014 at 7:56 PM, Adnan Baykal <abaykal at gmail.com> wrote:
>> > what is this measure? as soon as I start Suri, I get this number in 15K
>> > and
>> > just keeps going up significantly. Can anyone tell me what effects
>> > tcp.segment_memcap_drop counter and what can I do to get it down?
>>
>> In general you need to increase the stream memcap settings in yaml
>>
>> > I have 16GB ram and already have memcap at 6gb and reassembly memcap at
>> > 12GB
>> > and depth: at 1mb
>> >
>> > Thanks
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support:
>> > http://suricata-ids.org/support/
>> > List:
>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > OISF: http://www.openinfosecfoundation.org/
>>
>>
>> If you have 16 GRAM in total and you have 6+12 in Suricata = 18 you
>> will go into swap at some point and degrade performance not only for
>> Suri but for the whole machine as well.
>>
>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>
>
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list