[Oisf-users] file truncated
Peter Manev
petermanev at gmail.com
Wed Apr 22 07:18:06 UTC 2015
On Tue, Apr 21, 2015 at 6:05 PM, Miso Mijatovic <mmijatovic at sorint.it> wrote:
> Hi,
>
>> Have you done any tuning of the suricata.yaml?
>
> yes, in addition to
>
> stream.checksum_validation no
> stream.reassembly.depth 0
> libhtp.default-config.request-body-limit 0
> libhtp.default-config.response-body-limit 0
>
> i commented the part about eth0 in the afpacket section because it is not a traffic interface;
> i enabled the file-store (with force md5,force magic and waldo) and file-log (with force md5 and force magic);
For starters i think those are low -
> i increased the stream memcap from default 32mb to 128mb;
I think you can try setting this to 512mb
> i decreased the reassembly memcap from default 128mb to 64mb.
and this to 1024mb
>
>> What type of traffic and how much of it are you inspecting on what HW ?
>
> I am inspecting 80/90 Mb of clients normal internet traffic, my hw have 12 Gb RAM on 8 processors.
you should also try the other suggestions on this thread (putting a
cap on stream.reassembly.depth and limiting the stream gaps and memcap
drops)
>
> Regards,
> Miso Mijatovic
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list