[Oisf-users] Max number of flows/flowints
Peter Manev
petermanev at gmail.com
Sat Apr 29 08:28:18 UTC 2017
> On 28 Apr 2017, at 15:15, Renato Fontana <renatocfontana at gmail.com> wrote:
>
> Quick question regarding flowbit usage.
> Does suricata loads rules with missing flowbit:set and/or flowbit:isset?
>
> I know snort outputs warnings when one verification is missing.
> flowbits key 'X' is set but not ever checked. (flowbits:isset)
> flowbits key 'Y' is checked but not ever set. (flowbit:set)
>
> I'm not sure if these rule are still loaded when running Suricata starts or if they are skipped.
>
Suricata will output a warning - but you can also see/double check that from the command line when starting suricata or from suricata.log
> Thanks!
>
>
> 2016-10-18 11:11 GMT+02:00 Victor Julien <lists at inliniac.net>:
>> On 18-10-16 07:56, Amin Saba wrote:
>> > Are there any artificial limits on the maximum number of flows an
>> > instance of suricata can handle?
>>
>> The only limit is your flow.memcap setting or your available memory,
>> which ever comes first.
>>
>> Performance will depend on your hash table size.
>>
>> > What about the number of flowbits/flowints defined over those flows?
>>
>> This is only limited by available memory.
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170429/fc484787/attachment-0002.html>
More information about the Oisf-users
mailing list