[Oisf-users] tcp.segment_memcap_drop

[Kurzawa, Kevin]

In general, is there a rule of thumb for the size that should be set for the stream memory cap for a certain amount of traffic? 
I.e.: 
  Stream memcap: 1gb per 1gb of traffic / 100% ram to traffic
  Stream reassembly memcap: 2gb per 1gb of traffic / 200% ram to traffic



-----Original Message-----
From: oisf-users-bounces at lists.openinfosecfoundation.org [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Peter Manev
Sent: Thursday, June 05, 2014 2:03 PM
To: Adnan Baykal
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] tcp.segment_memcap_drop

On Thu, Jun 5, 2014 at 7:56 PM, Adnan Baykal <abaykal at gmail.com> wrote:
> what is this measure? as soon as I start Suri, I get this number in 
> 15K and just keeps going up significantly. Can anyone tell me what 
> effects tcp.segment_memcap_drop counter and what can I do to get it down?

In general you need to increase the stream memcap settings in yaml

> I have 16GB ram and already have memcap at 6gb and reassembly memcap 
> at 12GB and depth: at 1mb
>
> Thanks
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: 
> http://suricata-ids.org/support/
> List: 
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/


If you have 16 GRAM in total and you have 6+12 in Suricata = 18 you will go into swap at some point and degrade performance not only for Suri but for the whole machine as well.




--
Regards,
Peter Manev
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/