[Oisf-users] Number of handles used by suricata

Ruslan Usmanov ruslanuxml at gmail.com
Tue Dec 5 18:22:36 UTC 2017


You are right, I'm on Windows 10 x64.

On Tue, Dec 5, 2017 at 1:19 PM, Victor Julien <lists at inliniac.net> wrote:

> On 05-12-17 19:07, Ruslan Usmanov wrote:
> > Is number of open handles by suricata is an area of concern?
> >
> > I noticed when suricata is running with default configuration (max-frags
> > = 65535 with prealloc, flow hash_size = 65536), the process keeps open
> > 220,000 handles.
> >
> > By bringing down number of these items, we can save up to 200k handles
> > on the system. I understand the reason is because each defrag and flow
> > requires its own mutex and handle.
> >
> > What are you doing - just ignore the number of open handles, or using
> > lower values, and what are recommended number of defrags/flows, having
> > in mind we still want to keep system protected?
>
> I've really only seen this to be an issue on windows (cygwin). In linux
> a mutex isn't really a handle with the OS.
>
> For Windows I do have a test branch that uses a pools of mutexes instead
> of a mutex per object. Could revive that if there is interest.
>
> What OS are you on?
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171205/e4ac1f53/attachment-0002.html>


More information about the Oisf-users mailing list