[Oisf-users] Suricata, 10k rules, 10Gbit/sec and lots of RAM

Brandon Lattin lattin at umn.edu
Wed Nov 5 14:30:27 UTC 2014


As far as I know, there's no reason not to use 'single' if your box can
keep up with the traffic.

We used 'full' and a smaller ruleset because our older boxes couldn't keep
up. I'm testing newer machines over the next month, and am planning on
running in 'single' mode.

Maybe Victor or Cooper can weigh in.

On Tue, Nov 4, 2014 at 6:08 PM, Michał Purzyński <michalpurzynski1 at gmail.com
> wrote:

> Suricata 2.0.4, 128GB memory, around 10.5k rules from ET. The startup
> process is loooong, then it fails, eating all the memory. Is it
> expected? I've tried using ac-bs but gave up after like >20 minutes
> waiting for it to start.
>
> detect-engine:
>   - profile: custom
>   - custom-values:
>       toclient-src-groups: 200
>       toclient-dst-groups: 200
>       toclient-sp-groups: 200
>       toclient-dp-groups: 300
>       toserver-src-groups: 200
>       toserver-dst-groups: 400
>       toserver-sp-groups: 200
>       toserver-dp-groups: 200
>   - sgh-mpm-context: full
>   - inspection-recursion-limit: 3000
>
> mpm-algo: ac
>
> Now, if I change the sgh-mpm-context to 'auto' it can start, using
> around 40GB of memory. Does it mean that auto = single?
>
> I'm kind of concerned that rules cannot fit in the memory with
> sgh-mpm-context set to full and the settings presented. Should I be?
> :)
>
> What is better - use profile: high and context: full (if it fits) or
> profile: custom with settings presented and sgh-mpm-context: auto?
>
> --
> Michał Purzyński
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/




-- 
Brandon Lattin
Security Analyst
University of Minnesota - University Information Security
Office: 612-626-6672
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141105/5f5a70a3/attachment-0002.html>


More information about the Oisf-users mailing list