[Oisf-users] file truncated

Peter Manev petermanev at gmail.com
Wed Apr 22 15:37:40 UTC 2015 

On Wed, Apr 22, 2015 at 1:02 PM, Miso Mijatovic <mmijatovic at sorint.it> wrote:
> Hi,
>
> i increased the stream memcap and the reassembly memcap first to 512mb and 1024mb and then to 1024mb and 2048mb. I also turned off md5 calculation in file-store and file-log and last i put a cap on stream.reassembly.depth, i tried 1mb 10mb 20mb.
> The news is that i sometimes get alerts matching files md5, but only for small files (30/40 kb). However it seems i get these alerts regardless of the values of depth and md5 calculation.

Can you please share your yaml config? (privately if you would like)

Can you please share the last entry update of your stats.log?


Thank you

>
> Regards,
> Miso Mijatovic
>
> ----- Messaggio originale -----
> Da: "Peter Manev" <petermanev at gmail.com>
> A: "Miso Mijatovic" <mmijatovic at sorint.it>
> Cc: "Cooper F. Nelson" <cnelson at ucsd.edu>, oisf-users at lists.openinfosecfoundation.org
> Inviato: Mercoledì, 22 aprile 2015 9:18:06
> Oggetto: Re: [Oisf-users] file truncated
>
> On Tue, Apr 21, 2015 at 6:05 PM, Miso Mijatovic <mmijatovic at sorint.it> wrote:
>> Hi,
>>
>>> Have you done any tuning of the suricata.yaml?
>>
>> yes, in addition to
>>
>> stream.checksum_validation no
>> stream.reassembly.depth 0
>> libhtp.default-config.request-body-limit 0
>> libhtp.default-config.response-body-limit 0
>>
>> i commented the part about eth0 in the afpacket section because it is not a traffic interface;
>> i enabled the file-store (with force md5,force magic and waldo) and file-log (with force md5 and force magic);
>
> For starters i think those are low -
>> i increased the stream memcap from default 32mb to 128mb;
>
> I think you can try setting this to 512mb
>
>> i decreased the reassembly memcap from default 128mb to 64mb.
>
> and this to 1024mb
>
>>
>>> What type of traffic and how much of it are you inspecting on what HW ?
>>
>> I am inspecting 80/90 Mb of clients normal internet traffic, my hw have 12 Gb RAM on 8 processors.
>
> you should also try the other suggestions on this thread (putting a
> cap on stream.reassembly.depth and limiting the stream gaps and memcap
> drops)
>
>>
>> Regards,
>> Miso Mijatovic
>
>
>
> --
> Regards,
> Peter Manev



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list