Suricata RAM for multiple processors/cores?

Greg_E

I'm just getting started with my pfSense system, and just got Suricata running yesterday. I started it after a reboot yesterday and left it running (default memory settings). Came in to work today and it updated the rules but was not running on the WAN interface (only configured right now).

After a little google, I found that I needed to adjust the amount of RAM in a few areas. So I just kind of threw a pile at each entry in hopes that I could get it started on the interface again. Can someone help me understand where I can trim some of these gross adjustments, or doesn't it matter as long as I have plenty RAM?

here's what I have:
Fragmentation Memory Cap
433554432

Flow Memory Cap
433554432

Stream Memory Cap
467108864

Reassembly Memory Cap
167108864

Reassembly Depth
10048576

And hopefully a screen cap from the status page for the server info, this server is very old, but what I had with the budget available (none). Will upgrade to a CPU with AES-NI when budget allows and this proves that it will do what we need. 16GB of RAM, I can probably add another 4GB if really needed.

bmeeks

A high core count CPU like you have will definitely need more memory allocated for the TCP Stream Memory Cap. With 8 cores I would start with 256 MB and test upwards from there. The parameter is found on the FLOW/STREAM tab.

View the suricata.log file for the interface on the LOGS VIEW tab to see if you are hitting a Stream Memory Cap limit.