[Oisf-users] HTTP Sessions and resource estimation

Yasha Zislin coolyasha at hotmail.com
Thu Mar 19 14:19:11 UTC 2015


My flow timeouts are set as follows:flow-timeouts:
  default:    new: 3    established: 30    closed: 0    emergency-new: 10    emergency-established: 10    emergency-closed: 0  tcp:    new: 6    established: 100    closed: 0    emergency-new: 1    emergency-established: 5    emergency-closed: 2  udp:    new: 3    established: 30    emergency-new: 3    emergency-established: 10  icmp:    new: 3    established: 30    emergency-new: 1    emergency-established: 10
My stream reassembly depth is set to 20mb. I forget why it is so high, but I've made it to minimize packet loss.
I am monitoring two span ports (about 1gig each) and my 40 logical CPUs/140 gigs of RAM server is using 95% of RAM.I thought Suricata was able to handle 10 gig feeds. Just trying to understand what I am doing wrong.
Thanks.
> Date: Wed, 18 Mar 2015 15:01:48 -0700
> From: cnelson at ucsd.edu
> To: coolyasha at hotmail.com; oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] HTTP Sessions and resource estimation
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Probably not, you would really have to just run it and see.
> 
> The issue is that you have lots of variables you control, like stream
> depth and flow-timeouts, as well as lots of variables you do not.  Like
> the actual number and depths of flows.  The most I can say is that
> shorter stream-depth and timeout settings use less memory.
> 
> - -Coop
> 
> On 3/18/2015 2:14 PM, Yasha Zislin wrote:
> >
> > Is there a way to estimate how much RAM (resources) I would need if
> > throughput and type of traffic is known?
> > 
> > 
> > I can definitely provide some config snippets of mine. Just let me know
> > which ones.
> > 
> > Thank you.
> > 
> > 
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Training now available: http://suricata-ids.org/training/
> > 
> 
> 
> - -- 
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> 
> iQEcBAEBAgAGBQJVCfXMAAoJEKIFRYQsa8FWTJwIAKCxE30EVvyvti/Zm+giWULC
> QZ9Y/vH83vhZxaa9TE1b8lTZ3xMyn1JH/Oy/9XysHhEmsGs6+Qz+7bpgX9kdscJi
> 6EdZWRnJ9AmDMeynzh0tcpLgCOwmkWfZ5m/MnRX7fxOqToxuob0aZ5epSi8k3RZ6
> BvxL+ZatplFr4WeCX1rlnsTczj95FPlQEmEYp2idUl+GWtmL9RIsnwN9fzzgMe7D
> a4BL9vnm7tiQ+GqEIHIDXf/zcCScGFZtBq99GnuW4OcTiRO7Kj6DM+6y701vDM8E
> A3bjrxsZv1R2nVv+LMS/pp7h0D9e3aZY7fYonI2H4rwHZIe3UiFnBqrEUm2bIPo=
> =A5sD
> -----END PGP SIGNATURE-----
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150319/b074cc18/attachment-0002.html>


More information about the Oisf-users mailing list