English Forums > Intrusion Detection and Prevention

Give Suricata Engine more RAM

(1/2) > >>

ArminF:
Hello,
my box feels boring and has a lot of free memory.
So i thought to give DNS and Suricata more memory.

But there is no system tune option or settings on the GUI.

Is it possible to set more RAM to Suricata?

thanks
armin

siga75:
conf file say

# Flow settings:
# By default, the reserved memory (memcap) for flows is 32MB. This is the limit
# for flow allocation inside the engine. You can change this value to allow
# more memory usage for flows.
# The hash-size determine the size of the hash used to identify flows inside
# the engine, and by default the value is 65536.
# At the startup, the engine can preallocate a number of flows, to get a better
# performance. The number of flows preallocated is 10000 by default.
# emergency-recovery is the percentage of flows that the engine need to
# prune before unsetting the emergency state. The emergency state is activated
# when the memcap limit is reached, allowing to create new flows, but
# prunning them with the emergency timeouts (they are defined below).
# If the memcap is reached, the engine will try to prune flows
# with the default timeouts. If it doens't find a flow to prune, it will set
# the emergency bit and it will try again with more agressive timeouts.
# If that doesn't work, then it will try to kill the last time seen flows
# not in use.
# The memcap can be specified in kb, mb, gb.  Just a number indicates it's
# in bytes.

flow:
  memcap: 64mb
  hash-size: 65536
  prealloc: 10000
  emergency-recovery: 30


So I guess if you don't see messages on the logs indicating you reached the memcap, then you don't need more RAM. Suricata is probably only CPU intensive, RAM should not be a big issue

ArminF:
Siga,

thank you very much.
No i do not see any message of reaching the memcap.

Can you give me the location of the config file?
And would the settings be changed there and would they be reboot consistent?

thank you
A

siga75:
I am not an expert but it should be persistent to reboot, not to an update probably

config file: /usr/local/etc/suricata/suricata.yaml


root@myfw:~ # ps aux | grep suri
root          30263   0.2  3.2 2279032  529764  -  Ss   15Feb20   166:52.64 /usr/local/bin/suricata -D --netmap --pidfile /var/run/suricata.pid -c /usr/local/etc/suricata/suricata.yaml

ArminF:
Excellent, thank you very much Siga!

Navigation

[0] Message Index

[#] Next page

Go to full version