[Oisf-users] Suricata, 10k rules, 10Gbit/sec and lots of RAM
Duane Howard
duane.security at gmail.com
Thu Dec 3 22:05:02 UTC 2015
So the 'related' bug is still open, and targeted to 'Soon' does this mean
we should expect a rewrite or refactoring of how the grouping works in 3.0,
or somewhere further down the line?
On Wed, Nov 5, 2014 at 7:33 AM, Yasha Zislin <coolyasha at hotmail.com> wrote:
> I had this issue as well. setting sgh-mpm-context to full and my 132gb of
> RAM would disappear without suricata fully starting.
> I assume if setting this to full would increase performance if you have
> sufficient hardware.
>
> My ruleset is 20k rules. :)
>
> > Date: Wed, 5 Nov 2014 11:24:01 +0100
> > From: petermanev at gmail.com
> > To: lists at inliniac.net
> > CC: oisf-users at lists.openinfosecfoundation.org
> > Subject: Re: [Oisf-users] Suricata, 10k rules, 10Gbit/sec and lots of RAM
>
> >
> > On Wed, Nov 5, 2014 at 10:28 AM, Victor Julien <lists at inliniac.net>
> wrote:
> > > On 11/05/2014 08:11 AM, Peter Manev wrote:
> > >>> I'm kind of concerned that rules cannot fit in the memory with
> > >>> > sgh-mpm-context set to full and the settings presented. Should I
> be?
> > >>> > :)
> > >> There is a bug at the moment when using full with over 10k rules - it
> just ends up eating all the memory.
> > >
> > > What bug is this?
> > >
> >
> > Tightly related to -
> > https://redmine.openinfosecfoundation.org/issues/1202#change-4344
> >
> >
> >
> > --
> > Regards,
> > Peter Manev
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Training now available: http://suricata-ids.org/training/
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151203/55ab6e22/attachment.html>
More information about the Oisf-users
mailing list