[Oisf-users] HTTP Sessions and resource estimation

Cooper F. Nelson cnelson at ucsd.edu
Thu Mar 19 18:22:16 UTC 2015

Hash: SHA1

Say you have lots of customers watching streaming video over HTTP (like
Netflix).  Each video stream will ultimately consume 20MB of memory
before suricata stops tracking it and releases the memory.

I also do a bit of performance analysis for HTTP proxy/cache design and
it turns out that the vast majority (over 99%) of HTTP objects are under
1 MB in size, so you really aren't getting much from tracking past that.
 I understand that TCP connections are often left open and recycled, but
most 'interesting' packets from a network security perspective are going
to be within the first MB of new flows.  In fact, most of the ET HTTP
sigs (other than the WEB_CLIENT sigs) will only trigger against the
first few packets, if at all.

- -Coop

On 3/19/2015 10:54 AM, Yasha Zislin wrote:
> Can you explain what it is? and how it affect memory utilization?
> Thanks.
>> Date: Thu, 19 Mar 2015 09:29:12 -0700
>> From: cnelson at ucsd.edu
>> To: coolyasha at hotmail.com; oisf-users at lists.openinfosecfoundation.org
>> Subject: Re: [Oisf-users] HTTP Sessions and resource estimation
> I think that is too high a stream reassembly depth. Try 1mb instead.
> On 3/19/2015 7:19 AM, Yasha Zislin wrote:
>> My stream reassembly depth is set to 20mb. I forget why it is so high,
>> but I've made it to minimize packet loss.
>> I am monitoring two span ports (about 1gig each) and my 40 logical
>> CPUs/140 gigs of RAM server is using 95% of RAM.
>> I thought Suricata was able to handle 10 gig feeds. Just trying to
>> understand what I am doing wrong.
>> Thanks.

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)


More information about the Oisf-users mailing list