From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stefan Schantl To: development@lists.ipfire.org Subject: Re: [PATCH 00/20] Suricata Configuration Updates Date: Fri, 01 Mar 2019 18:09:42 +0100 Message-ID: In-Reply-To: <20190228142825.5153-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2956758015464885435==" List-Id: --===============2956758015464885435== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Hello Michael, thanks for working on optimizing the suricata configuration file. I've merged all of the patches except number "8" and "10" which does not apply with "git am". When simple adding the changes with "patch" the changes can be applied - any idea why this happened? Thanks in advance, -Stefan > I have worked on suricata's configuration. > > My objective was to use more system resources (because suricata did > not use much RAM, etc.) > to make it faster and to be able to have some deeper decoding and > matching. > > Please review these changes and let me know what you think. > > All in all, suricata should not use more than 1G of RAM which I think > is a very good > amount. If your system is weaker than that, there is no point in > running an IPS. > > On my system in my office, this runs with a hand full of rules > enabled from the > Emerging Threats Community set at around 110MB of RAM. > > Michael Tremer (20): > Revert "Suricata: detect DNS events on port 853, too" > suricata: Set max-pending-packets to 1024 > suricata: Set default packet size to 1514 > suricata: Set detection profile to high > suricata: Drop profiling section from configuration > suricata: Drop some commented stuff from configuration > suricata: Drop sections that require Rust > suricata: Configure HTTP decoder > suricata: Allow 32MB of RAM for DNS decoding > suricata: Drop parsers I have never heard of > suricata: We do not use any IP reputation lists > suricata: Log to syslog > suricata: Use the correct path for the magic database > suricata: Use 64MB of RAM for defragmentation > suricata: Use up to 256MB of RAM for the flow cache > suricata: Log to syslog like a normal process > suricata: Increase memory size for the stream engine > suricata: Disable decoding for Teredo > suricata: Start capture first and then load rules > suricata: Fix syntax error > > config/etc/syslog.conf | 2 +- > config/suricata/suricata.yaml | 282 +++++--------------------------- > ---------- > 2 files changed, 30 insertions(+), 254 deletions(-) > --===============2956758015464885435== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUVXTzBOWHRTcnZo YXN5dERuVHRkT0ZZK1RzdDRGQWx4NVoxWUFDZ2tRVHRkT0ZZK1QKc3Q0YU54QUFuZ2h5aVc5UUQ1 VEVDWHFodmRqdW0zRFA4YUtrWjk5a0dCdjhKcFkxdVhZRmtHWENNRURMSXViTAozOHIrRXpoK0xu VjFxQ3lSWVRHRWY4YUcxMG50UTEzSFBuNXpkbVVLRWhNQVk3Vk9tT1JuUU5SdE1NL3pRYjNWClZu ZW9jOHRVS09Cejg0dm1YTFJwQ1FPMllGK2lXbGUwRWJYN29HUEJhaVpDZGo5MUhyZHh0MnhRY1Rp Z1dsZjYKRThtbW1wZHhvMU5OUU9OOTZZQmtSeGQ2QWIvemhKWWtYSjNYemRtMW1BZ3EyRkF0U3pj Vkg2M3JpYTZUZm9EQwppRU9OcDRUdVMwOEdJSGZZcWRQa0xNMW45TVhBRytKMkNJTm9UVmdCbjBw WTJqZERFcDd0ODlvVHlUdFhydmE1ClZWOGFkdFM4Y1FWa0JENnJQeXlpL2U5Zk9Zc2lyUmtZOEFi dk4yQ0JKek9CUFI0NXpnUytPU0hCc0NYSklBcEEKSjNGSFpidWEweHJRbzVId0Y5M3kvMGU1UkFO bUlOZGV4VHlsZzI5b2RBdk5PeFlrTmEveExRYmM1bEdBSDZxRApWbld4R3VRVjNpTmVwekt4NzZk THAwWDJVMEl4NlovOUZvOUJEeHJkY1hpOFp6YUk3NVlxRUtkZHRyTG9aSlZICkVkVThIRkwvT2tC bUlWY1FHNm1JSmhTaHhJOXBjVTQwcjE4Z0NKbE53TjZVOUhuUUNpSS90am1WYnFtNkRPdjcKMDlq d3YwYWYwNmIvVms3TVlCdHppaWlSMWpETmg1S3RieTdZbmQ1MkprQmg1WFl3NEp6Q3luVkpSak9o dUc5dgp4UzNlY2N4MWc3NkRsUjJSaXR0SzdLMFgramNCTmFKUFhQRkNlbjluMEtLYk0vZVF3cFU9 Cj1jTEdwCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============2956758015464885435==--