<div dir="ltr">Yeah, it would definitely fall over well before 10GB. I was only using the method for initial Suricata alert generation to seed a hand-rolled Splunk barnyard parsing SIEM project - all of which has since moved to production hardware.<div>
<br></div><div>I hope you get it working, but if not I would suggest an Arista 7150 feeding a Suricata cluster and a Bro cluster, with the Bro cluster using Time Machine. Of course budget may become an issue.</div></div>
<div class="gmail_extra">
<br><br><div class="gmail_quote">On Tue, Aug 5, 2014 at 3:49 PM, Cooper F. Nelson <span dir="ltr"><<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
</div>We are a 10Gbe shop so that isn't going to work. Ideally what I would<br>
like is to use moloch to index/spool packets after suricata is done<br>
sampling/processing them and then spool them to an individual disk per<br>
thread.<br>
<br>
- -Coop<br>
<div class=""><br>
On 8/5/2014 1:01 PM, Brandon Lattin wrote:<br>
> I should mention, this was using a RHEL 6.5 box.<br>
><br>
><br>
> On Tue, Aug 5, 2014 at 3:00 PM, Brandon Lattin <<a href="mailto:lattin@umn.edu">lattin@umn.edu</a><br>
</div><div class="">> <mailto:<a href="mailto:lattin@umn.edu">lattin@umn.edu</a>>> wrote:<br>
><br>
> Cooper,<br>
><br>
> I've redirected traffic via tcpdump -> box1 netcat -> box2 netcat<br>
> listener -> pipe -> suricata (pretty hackish, I know!)<br>
><br>
> I remember it working without issue. Not quite the same task, but<br>
> perhaps similar enough.<br>
><br>
> Here's the related commands from my .bash_history<br>
><br>
> nc -l 10101 > temp.pcap &<br>
> /usr/local/bin/suricata -c /usr/local/etc/suricata/suricata.yaml -r<br>
> ./temp.pcap &<br>
><br>
> Suricata remained running as long as the netcat listener was<br>
> operational.<br>
><br>
> Hope this helps!<br>
><br>
><br>
><br>
> On Tue, Aug 5, 2014 at 2:30 PM, Cooper F. Nelson <<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a><br>
</div><div class="">> <mailto:<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a>>> wrote:<br>
><br>
<br>
- --<br>
Cooper Nelson<br>
Network Security Analyst<br>
UCSD ACT Security Team<br>
<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a> x41042<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.17 (MingW32)<br>
Comment: Using GnuPG with Thunderbird - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>
<br>
</div>iQEcBAEBAgAGBQJT4UNTAAoJEKIFRYQsa8FWhRMH/iotJB6ic17NjNAWuVWLFzaP<br>
SIqJeKjVhKtQFsUjUO9uurG4lpZY04PW/2OT4xiJPIPMUI4iGmdoMLcgjlvgUQaR<br>
FHC8064zi7Bff7XtRErP6+EGxPmdHsl9ry18ol0nkqktDsY3xYBds8ZIsVZIytXX<br>
gvhV/UHHR+OKSvZFW8d/2MQHdMF8RmVf+4iGWn9ToUAf58oVdoadtvBPVWRYleVJ<br>
0PDnJiLtbqS3+CSE5mbSUA0J+BYkfGlR0l8r/px36atIfnDccX2LJrb4iswKNUeR<br>
Sn529DmY5hOfjS1TaGPsuV29dRD/WeU1Po27yprZl10IonpNXiIP6a5LokPobK0=<br>
=FyWX<br>
<div class="HOEnZb"><div class="h5">-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">Brandon Lattin<div>Security Analyst<br><div>University of Minnesota - University Information Security<br>Office: 612-626-6672</div></div>
</div>
</div>