[Oisf-users] file truncated

Peter Manev petermanev at gmail.com
Wed Apr 22 07:18:06 UTC 2015

On Tue, Apr 21, 2015 at 6:05 PM, Miso Mijatovic <mmijatovic at sorint.it> wrote:
> Hi,
>> Have you done any tuning of the suricata.yaml?
> yes, in addition to
> stream.checksum_validation no
> stream.reassembly.depth 0
> libhtp.default-config.request-body-limit 0
> libhtp.default-config.response-body-limit 0
> i commented the part about eth0 in the afpacket section because it is not a traffic interface;
> i enabled the file-store (with force md5,force magic and waldo) and file-log (with force md5 and force magic);

For starters i think those are low -
> i increased the stream memcap from default 32mb to 128mb;

I think you can try setting this to 512mb

> i decreased the reassembly memcap from default 128mb to 64mb.

and this to 1024mb

>> What type of traffic and how much of it are you inspecting on what HW ?
> I am inspecting 80/90 Mb of clients normal internet traffic, my hw have 12 Gb RAM on 8 processors.

you should also try the other suggestions on this thread (putting a
cap on stream.reassembly.depth and limiting the stream gaps and memcap

> Regards,
> Miso Mijatovic

Peter Manev

More information about the Oisf-users mailing list