<div dir="ltr">Copper, when you say that you are sampleing, how much? 1/10, 1/100, 1/200, etc? And the speed, 7Gbit/s is that the network speed before the selection of port 80 and the sampeling, or is this after all this is performed?<div><br></div><div>- In the case that this speed is before the sub-selection, what is the actual speeds that are being analyzed on sampled port 80 traffic?</div><div>- In the case that this speed is after the sub-selection, what is the actual speeds that are being sampeld?</div><div><br></div><div>Sorry for all the questions, so here is a bonus one, hehe. Have you tried to compare timeperiods of real-time analysis results to playbacked / re-spooled / "suricata -r" pcaps from fullcapture / tcpdump to disk, of the same traffic?</div><div><br></div><div>The branch that is being talked about, is this "dev-detect-grouping-v170" ?</div><div><br></div><div>/AndreasM</div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-12-04 18:03 GMT+01:00 Cooper F. Nelson <span dir="ltr"><<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
</span>We are running the grouping code branch as well, ~7gbit traffic and<br>
sampling port 80 flows. Using groups of 1000.<br>
<br>
Performance so far is very good, currently running 27,568 ETPRO signatures.<br>
<br>
- -Coop<br>
<span class=""><br>
On 12/3/2015 4:56 PM, Michal Purzynski wrote:<br>
> I kind of feel responsible here and should answer this question.<br>
><br>
> The grouping code branch will make it to Suricata post 3.0. Give. The new release schedule, this should be quick.<br>
><br>
> I'm testing it on production traffic, more than 20gbit, two sensors (peak, but frequent, long and crazy. Average is between 3 to 6gbit/sec).<br>
><br>
> In order to stress the code I run it with even more insane settings, like this<br>
><br>
> detect-engine:<br>
> - profile: custom<br>
> - custom-values:<br>
> toclient-src-groups: 2000<br>
> toclient-dst-groups: 2000<br>
> toclient-sp-groups: 2000<br>
> toclient-dp-groups: 3000<br>
> toserver-src-groups: 2000<br>
> toserver-dst-groups: 4000<br>
> toserver-sp-groups: 2000<br>
> toserver-dp-groups: 2500<br>
> - sgh-mpm-context: full<br>
> - inspection-recursion-limit: 3000<br>
> - rule-reload: true<br>
><br>
> Note - do not try this at home. Or work. It kills kittens on 2.x<br>
><br>
> And it just works on the new branch that's yet to be merged :)<br>
><br>
> Note - I have over 16500 rules now.<br>
<br>
<br>
</span><span class="">- --<br>
Cooper Nelson<br>
Network Security Analyst<br>
UCSD ACT Security Team<br>
<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a> x41042<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.17 (MingW32)<br>
<br>
</span>iQEcBAEBAgAGBQJWYcddAAoJEKIFRYQsa8FWBt0H/0sh5R412AvdWkMlhTgxTI9v<br>
VP09We6pjr4iKzJtahKVBaeI/ilcZlUndHWbWPzJA/cD/94sXQMlm8rYsBRfEbVZ<br>
FnVTXHWUvglGPo0WtgklLX2a66auN4OF+shfE0wh1eP578/KYm7RERYIyelSDkHA<br>
H74cGHEGgW9xyPR5Kp/JxA7x1D+HO3NC0vfkOJDpvCqsdmqIbYjNIp+Iux7w7JCG<br>
TycUq2M/QhnNF1lFNziDiGWUMcmCBIi3ZJoMKK5/SRnsWDhdXC4hjvoulVmxZquH<br>
CmvNl7EFMGi9hyRZEaJIyPbbxsqxIxVueVRznKioKzad4irQAdjduUs5itLce6w=<br>
=Cn9D<br>
-----END PGP SIGNATURE-----<br>
<div class="HOEnZb"><div class="h5">_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Suricata User Conference November 4 & 5 in Barcelona: <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a></div></div></blockquote></div><br></div>