[Oisf-users] Suricata, 10k rules, 10Gbit/sec and lots of RAM

Brandon Lattin lattin at umn.edu
Wed Nov 5 14:32:29 UTC 2014 

Looks like my local cache was a bit behind on this conversation!

On Wed, Nov 5, 2014 at 8:30 AM, Brandon Lattin <lattin at umn.edu> wrote:

> As far as I know, there's no reason not to use 'single' if your box can
> keep up with the traffic.
>
> We used 'full' and a smaller ruleset because our older boxes couldn't keep
> up. I'm testing newer machines over the next month, and am planning on
> running in 'single' mode.
>
> Maybe Victor or Cooper can weigh in.
>
> On Tue, Nov 4, 2014 at 6:08 PM, Michał Purzyński <
> michalpurzynski1 at gmail.com> wrote:
>
>> Suricata 2.0.4, 128GB memory, around 10.5k rules from ET. The startup
>> process is loooong, then it fails, eating all the memory. Is it
>> expected? I've tried using ac-bs but gave up after like >20 minutes
>> waiting for it to start.
>>
>> detect-engine:
>>   - profile: custom
>>   - custom-values:
>>       toclient-src-groups: 200
>>       toclient-dst-groups: 200
>>       toclient-sp-groups: 200
>>       toclient-dp-groups: 300
>>       toserver-src-groups: 200
>>       toserver-dst-groups: 400
>>       toserver-sp-groups: 200
>>       toserver-dp-groups: 200
>>   - sgh-mpm-context: full
>>   - inspection-recursion-limit: 3000
>>
>> mpm-algo: ac
>>
>> Now, if I change the sgh-mpm-context to 'auto' it can start, using
>> around 40GB of memory. Does it mean that auto = single?
>>
>> I'm kind of concerned that rules cannot fit in the memory with
>> sgh-mpm-context set to full and the settings presented. Should I be?
>> :)
>>
>> What is better - use profile: high and context: full (if it fits) or
>> profile: custom with settings presented and sgh-mpm-context: auto?
>>
>> --
>> Michał Purzyński
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Training now available: http://suricata-ids.org/training/
>
>
>
>
> --
> Brandon Lattin
> Security Analyst
> University of Minnesota - University Information Security
> Office: 612-626-6672
>



-- 
Brandon Lattin
Security Analyst
University of Minnesota - University Information Security
Office: 612-626-6672
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141105/9103eb77/attachment-0002.html>

More information about the Oisf-users mailing list