[Oisf-users] Holy #$@!, nice!
Victor Julien
victor at inliniac.net
Sat Jan 2 14:25:50 UTC 2010
Hi Martin, thanks for the nice feedback!
Martin Holste wrote:
> Awesomeness! Nice work, guys! I got suricata up and running on my
> Ubuntu 9.10 laptop with no problems as well as my quad-core CentOS 5
> sandbox server with PF_RING (by the way, you should make sure to
> mention in the docs that PF_RING >= 4.0 is required if you're going to
We'll do that.
> use it). I quick copied my ET Snort rules over, and everything works
> like a charm! Plus, it's running on PF_RING and using over 233% CPU
> so the threading is clearly working. This is a pretty major milestone
> for an IDS to thread like that, so I felt like I should take a screen
The threading is going to be highly configurable, however we haven't
implemented the configuring yet. For those that are brave, hacking
runmodes.c could be interesting.
> shot of top or something. I haven't played with any of the inline
> options, but all of the straight IDS stuff is working as advertised.
> I'm also very pleased with the straight URL logger, as I've been
> running urlsnarf from dsniff for a long time to log all URL's for
> later analysis.
The http log was really just added to prove to myself how easy that
would be, but I agree it's very useful.
> Initial recommendations from beta testing:
> Config file documentation: The inline comments were helpful, but I'm
> getting some non-fatal config errors on startup and I don't know how
> to fix them.
Right, we will clean those up.
> Minor new feature request: Configuration for custom log format for
> HTTP log. I could always just hack the source until then, though.
I've added a ticket for this:
https://redmine.openinfosecfoundation.org/issues/show/38
> Feature req: Dropped packets count in stats.log. I know this is
> tricky to do in a meaningful way, but maybe the new tactic they're
> using for Bro 1.5 (using TCP SEQ integrity checks) could be
> implemented for calculating the number of dropped packets.
Interesting suggestion, thanks. I always hear ppl say that the pcap
stats are pretty useless, but the Bro approach is worth checking out I
guess. Other ideas are welcome!
Cheers,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list