[Oisf-users] file truncated

[Cooper F. Nelson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would suggest setting a cap on stream.reassembly.depth, up the largest
size file you want to capture.  Maybe start with 1MB?

Also look into filtering out the 'elephants', like Netflix, YouTube,
etc.  If you are trying to track full streams and people are watching
video over http, you are going to encounter memory issues.

- -Coop

On 4/21/2015 9:05 AM, Miso Mijatovic wrote:
> Hi,
> 
>> Have you done any tuning of the suricata.yaml?
> 
> yes, in addition to 
> 
> stream.checksum_validation no
> stream.reassembly.depth 0
> libhtp.default-config.request-body-limit 0
> libhtp.default-config.response-body-limit 0
> 
> i commented the part about eth0 in the afpacket section because it is not a traffic interface;
> i enabled the file-store (with force md5,force magic and waldo) and file-log (with force md5 and force magic);
> i increased the stream memcap from default 32mb to 128mb;
> i decreased the reassembly memcap from default 128mb to 64mb.
> 
>> What type of traffic and how much of it are you inspecting on what HW ?
> 
> I am inspecting 80/90 Mb of clients normal internet traffic, my hw have 12 Gb RAM on 8 processors.
> 
> Regards,
> Miso Mijatovic
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJVNodlAAoJEKIFRYQsa8FWCIoH/RS/Z3+EmFx51RVmX2L1GBtE
r1zp5T4bOLrap0YLu3rack6b15beFzK6i4Lgwdeg3ZZcB/ucfJPvFGKflhBtT942
J24grG8Zy9iiNOJqRxlpQmqtHreoeTxiqDhHza2tGD7fKzagcaU7Z+9AEDs5bIYg
TAdmRA/WmsWI6c4WK8f2GKbho0gypYANZtyWiBcmIx/cPA1EjKDvpaQ0daIkj7TV
a+YdObONvO57Z6iCnHj1NcL7vcuf8jVgB93BCLBEwMQKeFhPozn76XADMXmdfjxn
ZR7+NvwvjvaxKNPnSZIbXqdu2e7Lf1TOrVGMExHAkrF144nK16kU/dn4piu+N1Q=
=bVHr
-----END PGP SIGNATURE-----