[Oisf-users] Suricata, 10k rules, 10Gbit/sec and lots of RAM
Michał Purzyński
michalpurzynski1 at gmail.com
Wed Nov 5 00:08:25 UTC 2014
Suricata 2.0.4, 128GB memory, around 10.5k rules from ET. The startup
process is loooong, then it fails, eating all the memory. Is it
expected? I've tried using ac-bs but gave up after like >20 minutes
waiting for it to start.
detect-engine:
- profile: custom
- custom-values:
toclient-src-groups: 200
toclient-dst-groups: 200
toclient-sp-groups: 200
toclient-dp-groups: 300
toserver-src-groups: 200
toserver-dst-groups: 400
toserver-sp-groups: 200
toserver-dp-groups: 200
- sgh-mpm-context: full
- inspection-recursion-limit: 3000
mpm-algo: ac
Now, if I change the sgh-mpm-context to 'auto' it can start, using
around 40GB of memory. Does it mean that auto = single?
I'm kind of concerned that rules cannot fit in the memory with
sgh-mpm-context set to full and the settings presented. Should I be?
:)
What is better - use profile: high and context: full (if it fits) or
profile: custom with settings presented and sgh-mpm-context: auto?
--
Michał Purzyński
More information about the Oisf-users
mailing list