[Oisf-users] Holy #$@!, nice!

Martin Holste mcholste at gmail.com
Fri Jan 1 21:05:44 UTC 2010

Awesomeness!  Nice work, guys!  I got suricata up and running on my
Ubuntu 9.10 laptop with no problems as well as my quad-core CentOS 5
sandbox server with PF_RING (by the way, you should make sure to
mention in the docs that PF_RING >= 4.0 is required if you're going to
use it).  I quick copied my ET Snort rules over, and everything works
like a charm!  Plus, it's running on PF_RING and using over 233% CPU
so the threading is clearly working.  This is a pretty major milestone
for an IDS to thread like that, so I felt like I should take a screen
shot of top or something.  I haven't played with any of the inline
options, but all of the straight IDS stuff is working as advertised.
I'm also very pleased with the straight URL logger, as I've been
running urlsnarf from dsniff for a long time to log all URL's for
later analysis.

Initial recommendations from beta testing:
Config file documentation:  The inline comments were helpful, but I'm
getting some non-fatal config errors on startup and I don't know how
to fix them.
Minor new feature request: Configuration for custom log format for
HTTP log.  I could always just hack the source until then, though.
Feature req: Dropped packets count in stats.log.  I know this is
tricky to do in a meaningful way, but maybe the new tactic they're
using for Bro 1.5 (using TCP SEQ integrity checks) could be
implemented for calculating the number of dropped packets.

Thanks, and keep up the great work!


More information about the Oisf-users mailing list