[Oisf-users] file truncated

Tom DeCanio decanio.tom at gmail.com
Tue Apr 21 16:23:56 UTC 2015


As an experiment you may want to turn off the MD5 calculation.  Its
extremely compute intensive and believe it or not runs single threaded
within the library where the calculations occur.  I owe Victor a patch to
avoid the single thread behavior.  If this helps you out I'll look into
making the match available.

Tom

On Tue, Apr 21, 2015 at 9:05 AM, Miso Mijatovic <mmijatovic at sorint.it>
wrote:

> Hi,
>
> > Have you done any tuning of the suricata.yaml?
>
> yes, in addition to
>
> stream.checksum_validation no
> stream.reassembly.depth 0
> libhtp.default-config.request-body-limit 0
> libhtp.default-config.response-body-limit 0
>
> i commented the part about eth0 in the afpacket section because it is not
> a traffic interface;
> i enabled the file-store (with force md5,force magic and waldo) and
> file-log (with force md5 and force magic);
> i increased the stream memcap from default 32mb to 128mb;
> i decreased the reassembly memcap from default 128mb to 64mb.
>
> > What type of traffic and how much of it are you inspecting on what HW ?
>
> I am inspecting 80/90 Mb of clients normal internet traffic, my hw have 12
> Gb RAM on 8 processors.
>
> Regards,
> Miso Mijatovic
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150421/d51f81b0/attachment-0002.html>


More information about the Oisf-users mailing list