[Oisf-users] Suricata, 10k rules, 10Gbit/sec and lots of RAM
Victor Julien
lists at inliniac.net
Wed Nov 5 09:27:37 UTC 2014
On 11/05/2014 01:08 AM, Michał Purzyński wrote:
> Suricata 2.0.4, 128GB memory, around 10.5k rules from ET. The startup
> process is loooong, then it fails, eating all the memory. Is it
> expected? I've tried using ac-bs but gave up after like >20 minutes
> waiting for it to start.
>
> detect-engine:
> - profile: custom
> - custom-values:
> toclient-src-groups: 200
> toclient-dst-groups: 200
> toclient-sp-groups: 200
> toclient-dp-groups: 300
> toserver-src-groups: 200
> toserver-dst-groups: 400
> toserver-sp-groups: 200
> toserver-dp-groups: 200
> - sgh-mpm-context: full
> - inspection-recursion-limit: 3000
>
> mpm-algo: ac
>
> Now, if I change the sgh-mpm-context to 'auto' it can start, using
> around 40GB of memory. Does it mean that auto = single?
Depends on the chosen mpm-algo. Generally, for all 'ac' algo's 'auto' ==
'single', for the rest its 'full'.
In your case I would suggest trying sgh-mpm-context: full with mpm-algo
ac-bs or ac-gfbs
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list