Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Suricata RAM for multiple processors/cores?

    IDS/IPS
    2
    2
    413
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Greg_E last edited by

      I'm just getting started with my pfSense system, and just got Suricata running yesterday. I started it after a reboot yesterday and left it running (default memory settings). Came in to work today and it updated the rules but was not running on the WAN interface (only configured right now).

      After a little google, I found that I needed to adjust the amount of RAM in a few areas. So I just kind of threw a pile at each entry in hopes that I could get it started on the interface again. Can someone help me understand where I can trim some of these gross adjustments, or doesn't it matter as long as I have plenty RAM?

      here's what I have:
      Fragmentation Memory Cap
      433554432

      Flow Memory Cap
      433554432

      Stream Memory Cap
      467108864

      Reassembly Memory Cap
      167108864

      Reassembly Depth
      10048576

      And hopefully a screen cap from the status page for the server info, this server is very old, but what I had with the budget available (none). Will upgrade to a CPU with AES-NI when budget allows and this proves that it will do what we need. 16GB of RAM, I can probably add another 4GB if really needed.
      Capture1.PNG

      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by

        A high core count CPU like you have will definitely need more memory allocated for the TCP Stream Memory Cap. With 8 cores I would start with 256 MB and test upwards from there. The parameter is found on the FLOW/STREAM tab.

        View the suricata.log file for the interface on the LOGS VIEW tab to see if you are hitting a Stream Memory Cap limit.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post

        Products

        • Platform Overview
        • TNSR
        • pfSense Plus
        • Appliances

        Services

        • Training
        • Professional Services

        Support

        • Subscription Plans
        • Contact Support
        • Product Lifecycle
        • Documentation

        News

        • Media Coverage
        • Press
        • Events

        Resources

        • Blog
        • FAQ
        • Find a Partner
        • Resource Library
        • Security Information

        Company

        • About Us
        • Careers
        • Partners
        • Contact Us
        • Legal
        Our Mission

        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

        Subscribe to our Newsletter

        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

        © 2021 Rubicon Communications, LLC | Privacy Policy