Monday, December 30, 2013

Suricata - setting up flows





So looking at the suricata.log file (after starting suricata):


root@suricata:/var/data/log/suricata# more suricata.log                                                       
 [1372] 17/12/2013 -- 17:47:35 - (suricata.c:962) <Notice> (SCPrintVersion) -- This is Suricata version 2.0dev (rev e7f6107)
[1372] 17/12/2013 -- 17:47:35 - (util-cpu.c:170) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 16
[1372] 17/12/2013 -- 17:47:35 - (app-layer-dns-udp.c:315) <Info> (DNSUDPConfigure) -- DNS request flood protection level: 500
[1372] 17/12/2013 -- 17:47:35 - (defrag-hash.c:212) <Info> (DefragInitConfig) -- allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
[1372] 17/12/2013 -- 17:47:35 - (defrag-hash.c:237) <Info> (DefragInitConfig) -- preallocated 65535 defrag trackers of size 152
[1372] 17/12/2013 -- 17:47:35 - (defrag-hash.c:244) <Info> (DefragInitConfig) -- defrag memory usage: 13631336 bytes, maximum: 536870912
[1372] 17/12/2013 -- 17:47:35 - (tmqh-flow.c:76) <Info> (TmqhFlowRegister) -- AutoFP mode using default "Active Packets" flow load balancer
[1373] 17/12/2013 -- 17:47:35 - (tmqh-packetpool.c:142) <Info> (PacketPoolInit) -- preallocated 65534 packets. Total memory 229106864
[1373] 17/12/2013 -- 17:47:35 - (host.c:205) <Info> (HostInitConfig) -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
[1373] 17/12/2013 -- 17:47:35 - (host.c:228) <Info> (HostInitConfig) -- preallocated 1000 hosts of size 112
[1373] 17/12/2013 -- 17:47:35 - (host.c:230) <Info> (HostInitConfig) -- host memory usage: 390144 bytes, maximum: 16777216

[1373] 17/12/2013 -- 17:47:36 - (flow.c:386) <Info> (FlowInitConfig) -- allocated 1006632960 bytes of memory for the flow hash... 15728640 buckets of size 64
[1373] 17/12/2013 -- 17:47:37 - (flow.c:410) <Info> (FlowInitConfig) -- preallocated 8000000 flows of size 280

[1373] 17/12/2013 -- 17:47:37 - (flow.c:412) <Info> (FlowInitConfig) -- flow memory usage: 3310632960 bytes, maximum: 6442450944
[1373] 17/12/2013 -- 17:47:37 - (reputation.c:459) <Info> (SRepInit) -- IP reputation disabled
[1373] 17/12/2013 -- 17:47:37 - (util-magic.c:62) <Info> (MagicInit) -- using magic-file /usr/share/file/magic
[1373] 17/12/2013 -- 17:47:37 - (suricata.c:1769) <Info> (SetupDelayedDetect) -- Delayed detect disabled



We see:

[1373] 17/12/2013 -- 17:47:36 - (flow.c:386) <Info> (FlowInitConfig) -- allocated 1006632960 bytes of memory for the flow hash... 15728640 buckets of size 64
[1373] 17/12/2013 -- 17:47:37 - (flow.c:410) <Info> (FlowInitConfig) -- preallocated 8000000 flows of size 280

-> This is approximatelly 3GB of RAM
How did we get to this number... well ... I  have custom defined it in suricata.yaml under the flow section:
  hash-size: 15728640
  prealloc: 8000000

So we need to sum up->
15728640 x 64 ("15728640 buckets of size 64" = 1006632960 bytes)
+
8000000 x 280 ("preallocated 8000000 flows of size 280" = 2240000000 bytes )
=
total of 3246632960 bytes which is 3096.23MB

(15728640 x 64) + (8000000 x 280) =  3246632960 bytes


That would define our flow memcap value in suricata.yaml.
So this would work like this ->

flow:
  memcap: 4gb
  hash-size: 15728640
  prealloc: 8000000
  emergency-recovery: 30


This would work as well ->

flow:
  memcap: 3500mb
  hash-size: 15728640
  prealloc: 8000000
  emergency-recovery: 30


That's it :)

No comments:

Post a Comment