[Oisf-users] Suricata, 10k rules, 10Gbit/sec and lots of RAM

Peter Manev petermanev at gmail.com
Thu Dec 3 22:12:16 UTC 2015 

On Thu, Dec 3, 2015 at 11:05 PM, Duane Howard <duane.security at gmail.com> wrote:
> So the 'related' bug is still open, and targeted to 'Soon' does this mean we
> should expect a rewrite or refactoring of how the grouping works in 3.0, or
> somewhere further down the line?

There is work already done with regards to grouping -
https://github.com/inliniac/suricata/tree/dev-detect-grouping-v170
Feedback is welcome.

With the tests so far - it shows very god performance improvement and
minimal impact on memory (as compared to the old one)
It will most likely be post 3.0.

>
> On Wed, Nov 5, 2014 at 7:33 AM, Yasha Zislin <coolyasha at hotmail.com> wrote:
>>
>> I had this issue as well. setting sgh-mpm-context to full and my 132gb of
>> RAM would disappear without suricata fully starting.
>> I assume if setting this to full would increase performance if you have
>> sufficient hardware.
>>
>> My ruleset is 20k rules. :)
>>
>> > Date: Wed, 5 Nov 2014 11:24:01 +0100
>> > From: petermanev at gmail.com
>> > To: lists at inliniac.net
>> > CC: oisf-users at lists.openinfosecfoundation.org
>> > Subject: Re: [Oisf-users] Suricata, 10k rules, 10Gbit/sec and lots of
>> > RAM
>>
>> >
>> > On Wed, Nov 5, 2014 at 10:28 AM, Victor Julien <lists at inliniac.net>
>> > wrote:
>> > > On 11/05/2014 08:11 AM, Peter Manev wrote:
>> > >>> I'm kind of concerned that rules cannot fit in the memory with
>> > >>> > sgh-mpm-context set to full and the settings presented. Should I
>> > >>> > be?
>> > >>> > :)
>> > >> There is a bug at the moment when using full with over 10k rules - it
>> > >> just ends up eating all the memory.
>> > >
>> > > What bug is this?
>> > >
>> >
>> > Tightly related to -
>> > https://redmine.openinfosecfoundation.org/issues/1202#change-4344
>> >
>> >
>> >
>> > --
>> > Regards,
>> > Peter Manev
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support:
>> > http://suricata-ids.org/support/
>> > List:
>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > Training now available: http://suricata-ids.org/training/
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Training now available: http://suricata-ids.org/training/
>
>



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list