Bug #768: detect-engine custom profiling - high traffic - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #768

closed

detect-engine custom profiling - high traffic

Added by Peter Manev about 11 years ago. Updated almost 8 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Target version:

Affected Versions:

Effort:

Difficulty:

Label:

Description

Hi,

In yaml - custom profiling section:

detect-engine:

  - profile: medium

  - custom-values:

      toclient-src-groups: 2

      toclient-dst-groups: 2

      toclient-sp-groups: 2

      toclient-dp-groups: 3

      toserver-src-groups: 2

      toserver-dst-groups: 4

      toserver-sp-groups: 2

      toserver-dp-groups: 25

  - sgh-mpm-context: auto

  - inspection-recursion-limit: 3000

a change from medium to high - initiates a stop/crash cause we run out of memory (32G RAM) on 6K rules.
a change from medium to custom (with custom having variables (20,200) much bigger than "high") - no difference in mem consumption.. the same as in medium.
This is reproducible only on a high traffic monitoring interface.

I can share privately the yaml and more info.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #768

detect-engine custom profiling - high traffic

Updated by Victor Julien over 10 years ago

Updated by Andreas Herz almost 8 years ago

Updated by Andreas Herz almost 8 years ago