[Oisf-users] detect engine settings

Peter Manev petermanev at gmail.com
Tue Oct 24 13:34:38 UTC 2017 

On Tue, Oct 24, 2017 at 2:24 PM, Charles Devoe
<Charles.Devoe at cisecurity.org> wrote:
> The documentation states that I should set the following for a high
> performance situation
>
>

Actually these should be used instead in recent stable (docs on
redmine need updating - can you please open an issue on redmine) -
https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/master/entry/suricata.yaml.in#L1299


> detect:
>
>   profile: custom
>
>   custom-values:
>
>          toclient-groups: 200
>
>           toserver-groups: 200
>
>    sgh-mpm-context: auto
>
>    inspection-recursion-limit: 3000
>
>
>

in my testing experience:
-  "mpm-algo: ac-ks" runs best with if you use "custom" with big
groups (5-600) and "sgh-mpm-context: full"
- If you use hyperscan you should use "profile: high" with
"sgh-mpm-context: auto"

Of course all is traffic and rule relevant so you need to try out and
see what would be optimal in your environment with regards to the HW
you use.

> The suricat.yaml file has the following values.
>
>
>
> detect-engine:
>
>   - profile: medium
>
>   - custom-values:
>
>       toclient-src-groups: 2
>
>       toclient-dst-groups: 2
>
>       toclient-sp-groups: 2
>
>       toclient-dp-groups: 3
>
>       toserver-src-groups: 2
>
>       toserver-dst-groups: 4
>
>       toserver-sp-groups: 2
>
>       toserver-dp-groups: 25
>
>   - sgh-mpm-context: auto
>
>   - inspection-recursion-limit: 3000
>
>
>
>
>
>
>
>
>
> Do I have a couple of  questions here
>
>
> 1.  What are the src, dst, sp, and dp fields.   I suspect those are source
> and destination IP and Source and Destination port.
>
> 2.  What are the recommend values?
>
>
>
>
>
> Charles DeVoe Jr.
>
> Manager of Engineering
>
> Multi-State Information Sharing and Analysis Center (MS-ISAC)
>
> 31 Tech Valley Drive
>
> East Greenbush, NY 12061
>
>
>
> charles.devoe at cisecurity.org
>
> (518) 266-3494
>
> 7x24 Security Operations Center
>
> SOC at cisecurity.org - 1-866-787-4722
>
>
>
>
>
>
>
>
>
>
>
> This message and attachments may contain confidential information. If it
> appears that this message was sent to you by mistake, any retention,
> dissemination, distribution or copying of this message and attachments is
> strictly prohibited. Please notify the sender immediately and permanently
> delete the message and any attachments.
>
> . . . . .
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list