[Oisf-users] Max number of flows/flowints

Renato Fontana renatocfontana at gmail.com
Fri Apr 28 13:15:02 UTC 2017


Quick question regarding flowbit usage.
Does suricata loads rules with missing flowbit:set and/or flowbit:isset?

I know snort outputs warnings when one verification is missing.
flowbits key 'X' is set but not ever checked. (flowbits:isset)
flowbits key 'Y' is checked but not ever set. (flowbit:set)

I'm not sure if these rule are still loaded when running Suricata starts or
if they are skipped.

Thanks!


2016-10-18 11:11 GMT+02:00 Victor Julien <lists at inliniac.net>:

> On 18-10-16 07:56, Amin Saba wrote:
> > Are there any artificial limits on the maximum number of flows an
> > instance of suricata can handle?
>
> The only limit is your flow.memcap setting or your available memory,
> which ever comes first.
>
> Performance will depend on your hash table size.
>
> > What about the number of flowbits/flowints defined over those flows?
>
> This is only limited by available memory.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://suricon.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170428/1643a82d/attachment.html>


More information about the Oisf-users mailing list