[Oisf-users] Suricata, 10k rules, 10Gbit/sec and lots of RAM
Cooper F. Nelson
cnelson at ucsd.edu
Wed Nov 5 14:42:28 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
My usual rule is to leave a config at "auto" if I don't understand what
it does. These are my current settings, which are working well given
our hardware is over-subscribed at the moment:
> detect-engine:
> - profile: high
> - sgh-mpm-context: auto
> - inspection-recursion-limit: 3000
> - rule-reload: true
> - delayed-detect: no
- -Coop
On 11/5/2014 6:30 AM, Brandon Lattin wrote:
> As far as I know, there's no reason not to use 'single' if your box can
> keep up with the traffic.
>
> We used 'full' and a smaller ruleset because our older boxes couldn't
> keep up. I'm testing newer machines over the next month, and am planning
> on running in 'single' mode.
>
> Maybe Victor or Cooper can weigh in.
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJUWjdUAAoJEKIFRYQsa8FW5QoIAJ1cgprVHoseauBYSFcqNda1
WEgyqSQcjKienOqmIvaXrGMIlSNJqrdfxMkVOk8PDEkijt+PXAKyTRKOmFNnNGyb
dGdVhpfbjFZUN0Ex/pmxHId6ycNecKX8KG0ETvU57crjPGKJglEkbk5ciSvGlSfW
F7meC4+OlDb1gwfUZrngPicaXwrbiLZVEU0To2vDuYG9NcyqrGa97l+8XmiR1QYL
yzj2Qgi7yCuEjVujXj3MD6+Z84MJ5HSKJOfZyg3f0415GOKf68MZKQV7KFUbqhNz
wYZA8GyHEv0UQ2FjT3aqhDG9dVXgsgg0lcFtoWXfi+idTbc/egmFwsqrmMnhG80=
=TiZ3
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list