[Oisf-users] file truncated

Peter Manev petermanev at gmail.com
Wed Apr 22 07:18:06 UTC 2015


On Tue, Apr 21, 2015 at 6:05 PM, Miso Mijatovic <mmijatovic at sorint.it> wrote:
> Hi,
>
>> Have you done any tuning of the suricata.yaml?
>
> yes, in addition to
>
> stream.checksum_validation no
> stream.reassembly.depth 0
> libhtp.default-config.request-body-limit 0
> libhtp.default-config.response-body-limit 0
>
> i commented the part about eth0 in the afpacket section because it is not a traffic interface;
> i enabled the file-store (with force md5,force magic and waldo) and file-log (with force md5 and force magic);

For starters i think those are low -
> i increased the stream memcap from default 32mb to 128mb;

I think you can try setting this to 512mb

> i decreased the reassembly memcap from default 128mb to 64mb.

and this to 1024mb

>
>> What type of traffic and how much of it are you inspecting on what HW ?
>
> I am inspecting 80/90 Mb of clients normal internet traffic, my hw have 12 Gb RAM on 8 processors.

you should also try the other suggestions on this thread (putting a
cap on stream.reassembly.depth and limiting the stream gaps and memcap
drops)

>
> Regards,
> Miso Mijatovic



-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list