Is there any guides, best practices or suggestions for Suricata memcap tuning?
Maybe something we should improve in our docs.
However the general rule of thumb would be (the one that I use anyway) would be to look in the last update section in stats.log (or "event_type":"stats" in eve.json) and see if here are any memcap hits/counters. This would mean that specific memcap has been reach - that many times.
Example:
flow.memcap | Total | 76503
Then adjust the relevant section in suricata yaml. All memcaps can be adjusted:
suricata --dump-config |grep memcap
defrag.memcap = 32mb
flow.memcap = 128mb
stream.memcap = 64mb
stream.reassembly.memcap = 256mb
host.memcap = 1gb
ippair.memcap = 1gb
Plus the there are couple of other default ones (commented in yaml) for things like - http/ftp (suricata/suricata.yaml.in at suricata-6.0.9 · OISF/suricata · GitHub) that you can adjust as needed.