From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stefan Schantl To: development@lists.ipfire.org Subject: Re: [PATCH 00/20] Suricata Configuration Updates Date: Sun, 03 Mar 2019 10:57:36 +0100 Message-ID: <4e38d27220d08d1230bff88a795ff6ea6b388fb8.camel@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2425020832452069214==" List-Id: --===============2425020832452069214== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Hello Michael, thanks for rebasing and resubmitting your patches. This time everything worked well - merged. Best regards, -Stefan > Hi, > > I rebased the whole branch and sent a second patchset with the three > remaining patches only. > > Hope that helps and merges. > > -Michael > > > On 2 Mar 2019, at 16:52, Michael Tremer > > wrote: > > > > Why are you asking me that? > > > > What does “git am” tell you? There should be a reason why it didn’t > > work. > > > > Probably there have been other changes in the section? > > > > -Michael > > > > > On 1 Mar 2019, at 19:01, Stefan Schantl < > > > stefan.schantl(a)ipfire.org> wrote: > > > > > > > Hi, > > > > > > > > Did you apply all of them in order? > > > > > > > > > > Yes, I did. > > > > > > The reported two patches did not apply. > > > > > > However, the changes on the second patch depends on modifications > > > of > > > the first one, but why does the first one does not apply by using > > > "git > > > am" ? > > > > > > > It is not very helpful to only merge half the patchset. > > > > > > > > Did you use pwclient? > > > > > > > > -Michael > > > > > > > > > On 1 Mar 2019, at 17:09, Stefan Schantl < > > > > > stefan.schantl(a)ipfire.org> > > > > > wrote: > > > > > > > > > > Hello Michael, > > > > > > > > > > thanks for working on optimizing the suricata configuration > > > > > file. > > > > > > > > > > I've merged all of the patches except number "8" and "10" > > > > > which > > > > > does > > > > > not apply with "git am". > > > > > > > > > > When simple adding the changes with "patch" the changes can > > > > > be > > > > > applied > > > > > - any idea why this happened? > > > > > > > > > > Thanks in advance, > > > > > > > > > > -Stefan > > > > > > I have worked on suricata's configuration. > > > > > > > > > > > > My objective was to use more system resources (because > > > > > > suricata > > > > > > did > > > > > > not use much RAM, etc.) > > > > > > to make it faster and to be able to have some deeper > > > > > > decoding and > > > > > > matching. > > > > > > > > > > > > Please review these changes and let me know what you think. > > > > > > > > > > > > All in all, suricata should not use more than 1G of RAM > > > > > > which I > > > > > > think > > > > > > is a very good > > > > > > amount. If your system is weaker than that, there is no > > > > > > point in > > > > > > running an IPS. > > > > > > > > > > > > On my system in my office, this runs with a hand full of > > > > > > rules > > > > > > enabled from the > > > > > > Emerging Threats Community set at around 110MB of RAM. > > > > > > > > > > > > Michael Tremer (20): > > > > > > Revert "Suricata: detect DNS events on port 853, too" > > > > > > suricata: Set max-pending-packets to 1024 > > > > > > suricata: Set default packet size to 1514 > > > > > > suricata: Set detection profile to high > > > > > > suricata: Drop profiling section from configuration > > > > > > suricata: Drop some commented stuff from configuration > > > > > > suricata: Drop sections that require Rust > > > > > > suricata: Configure HTTP decoder > > > > > > suricata: Allow 32MB of RAM for DNS decoding > > > > > > suricata: Drop parsers I have never heard of > > > > > > suricata: We do not use any IP reputation lists > > > > > > suricata: Log to syslog > > > > > > suricata: Use the correct path for the magic database > > > > > > suricata: Use 64MB of RAM for defragmentation > > > > > > suricata: Use up to 256MB of RAM for the flow cache > > > > > > suricata: Log to syslog like a normal process > > > > > > suricata: Increase memory size for the stream engine > > > > > > suricata: Disable decoding for Teredo > > > > > > suricata: Start capture first and then load rules > > > > > > suricata: Fix syntax error > > > > > > > > > > > > config/etc/syslog.conf | 2 +- > > > > > > config/suricata/suricata.yaml | 282 +++++---------------- > > > > > > ------ > > > > > > ----- > > > > > > ---------- > > > > > > 2 files changed, 30 insertions(+), 254 deletions(-) > > > > > > --===============2425020832452069214== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUVXTzBOWHRTcnZo YXN5dERuVHRkT0ZZK1RzdDRGQWx4N3BSQUFDZ2tRVHRkT0ZZK1QKc3Q2ZC9BLy9lOG5uMDVZaFpW aXZTMVFzMmVtbGpFZitwVVZCcTJBL2JXSFdjdmluWEZnR3ZmY2lxbzV3ejJnMwowODZYYkowQTNt akhaelgrQlNNaVFKWWlRcDdxQzVGRHZnQkx6R1Uyb1pvdkd5Z3BHd2owR3FBZUs4dWpvU1NaClFw dmQ1cUhuNHo0bFNSTTU4ODlxdDl5ck5OR3FVaTVLWlNOT0JWN090MlFub0p3ZGFXWWl5VXFjNVNa M0RBd04KakhNaDlrbFhSNkE4L05kVy80ODBTc2g0bW1uS2JLeTFqcFg2MjJZUzRiSFJXM1RjWW1D YXRFTTdMQmpmUE15RwozOEF4ZmU0cW0veEI0ODhaSVNoR1pjMUpOOGJqMjA1NGN1TWIxNVdVLzly T2JWSVpuUEVPTE11OUgxaDgyeERYCnhQdXk0RzVGYnlGV3dtTFpyYmlxWjdvVGxtdmpydElES1JU Y2hyZ3FtaVRjZVNLY3FIa0ZKSGlncC9rekc2ZGsKWHgwaGpXeXNTdnJwUHgrSW5nUk9LUTBJTjlP bkZwYWlCNVBlK09vdjlvckliMDVTOVlmMERsMVdPSmliUHpLKwpDWWQ3ZllaNUJJQmxweFZZcHYv SGw5bnYvYnVtMC9UelMwcUU5OTVRcmcvNHF2Yno4WjZiRkk2VXk3TEgydzEvClNwdVM0ODdyaHc4 SGZFelRyYjB2YVZVa0poa1l4MXJEaUpKU0hPVGVYSk1LdDdlTkhEZXo2bTJKc1p6dDhWNnEKLzJQ MlhzTktrTFZ6b0V1V2NYVWM1a0NraEVoaUtZdkVtR1FaWEppa2gvWU9wZ0RhUm5zckJiLzNndTAv aVZPZwpnRm5mQ2RZSkJtV0FZQ0w2aUZ2SVF2ZWpnN2FGakQ2QnlmbklnTjc1eUtWMkozYWs5WWs9 Cj1CMzdKCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============2425020832452069214==--