Suricata failing to start interface



  • So I've been using a youtube video made by "Lawrence Systems" to set up Suricata initially before fine tuning anything. But after trying to start the interface it runs into this issue. The system has 24 GB of RAM and I honestly don't understand the error message so that brings me here to see if someone can explain what it is getting caught on.

    0_1547410420494_d3aea7ec-78ab-4ba8-b174-5b41270309a4-image.png



  • @wafflez19
    Go to the FLOW/STREAM tab and start increasing the TCP Stream Flow Memcap setting. The default is 32 MB (if I recall correctly), but with high core-count processors the default value may need doubling or even quadrupling in order for Suricata to start. The default value works fine on dual and quad-core processors, but higher core counts need much more Stream Memory. In your case, witih 16 cores, I would start with 256 MB and go up from there until Suricata starts reliably.

    Search this sub-forum for the same error (stream memcap) and you should find posts similar to yours with the solution. One of the posts in the past included the formula to use for calculating the amount of required memory based on your CPU core count.