[Oisf-users] Max number of flows/flowints

Peter Manev petermanev at gmail.com
Sat Apr 29 08:28:18 UTC 2017



> On 28 Apr 2017, at 15:15, Renato Fontana <renatocfontana at gmail.com> wrote:
> 
> Quick question regarding flowbit usage. 
> Does suricata loads rules with missing flowbit:set and/or flowbit:isset? 
> 
> I know snort outputs warnings when one verification is missing.  
> flowbits key 'X' is set but not ever checked. (flowbits:isset)
> flowbits key 'Y' is checked but not ever set. (flowbit:set)
> 
> I'm not sure if these rule are still loaded when running Suricata starts or if they are skipped.
> 

Suricata will output a warning - but you can also see/double check that from the command line when starting suricata or from suricata.log



> Thanks!
> 
> 
> 2016-10-18 11:11 GMT+02:00 Victor Julien <lists at inliniac.net>:
>> On 18-10-16 07:56, Amin Saba wrote:
>> > Are there any artificial limits on the maximum number of flows an
>> > instance of suricata can handle?
>> 
>> The only limit is your flow.memcap setting or your available memory,
>> which ever comes first.
>> 
>> Performance will depend on your hash table size.
>> 
>> > What about the number of flowbits/flowints defined over those flows?
>> 
>> This is only limited by available memory.
>> 
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>> 
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170429/fc484787/attachment-0002.html>


More information about the Oisf-users mailing list