[Oisf-users] detect engine settings

Charles Devoe Charles.Devoe at cisecurity.org
Tue Oct 24 12:24:33 UTC 2017 

The documentation states that I should set the following for a high performance situation


detect:
  profile: custom
  custom-values:
         toclient-groups: 200
          toserver-groups: 200
   sgh-mpm-context: auto
   inspection-recursion-limit: 3000

The suricat.yaml file has the following values.

detect-engine:
  - profile: medium
  - custom-values:
      toclient-src-groups: 2
      toclient-dst-groups: 2
      toclient-sp-groups: 2
      toclient-dp-groups: 3
      toserver-src-groups: 2
      toserver-dst-groups: 4
      toserver-sp-groups: 2
      toserver-dp-groups: 25
  - sgh-mpm-context: auto
  - inspection-recursion-limit: 3000




Do I have a couple of  questions here

1.  What are the src, dst, sp, and dp fields.   I suspect those are source and destination IP and Source and Destination port.
2.  What are the recommend values?


Charles DeVoe Jr.
Manager of Engineering
Multi-State Information Sharing and Analysis Center (MS-ISAC)
31 Tech Valley Drive
East Greenbush, NY 12061

charles.devoe at cisecurity.org
(518) 266-3494
7x24 Security Operations Center
SOC at cisecurity.org<mailto:SOC at cisecurity.org> - 1-866-787-4722


[cid:image001.png at 01D34CA1.84F2D9F0]
       [cid:image002.png at 01D34CA1.84F2D9F0] <https://www.facebook.com/CenterforIntSec>     [cid:image003.png at 01D34CA1.84F2D9F0] <https://twitter.com/CISecurity>    [cid:image004.png at 01D34CA1.84F2D9F0] <https://www.youtube.com/user/TheCISecurity>     [cid:image005.png at 01D34CA1.84F2D9F0] <https://www.linkedin.com/company/the-center-for-internet-security>


This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

. . . . .
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171024/5e2d6b7f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 14324 bytes
Desc: image001.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171024/5e2d6b7f/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1893 bytes
Desc: image002.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171024/5e2d6b7f/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 2177 bytes
Desc: image003.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171024/5e2d6b7f/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1890 bytes
Desc: image004.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171024/5e2d6b7f/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 2059 bytes
Desc: image005.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171024/5e2d6b7f/attachment-0009.png>

More information about the Oisf-users mailing list