[Oisf-users] Holy #$@!, nice!

Victor Julien victor at inliniac.net
Sat Jan 2 14:25:50 UTC 2010

Hi Martin, thanks for the nice feedback!

Martin Holste wrote:
> Awesomeness!  Nice work, guys!  I got suricata up and running on my
> Ubuntu 9.10 laptop with no problems as well as my quad-core CentOS 5
> sandbox server with PF_RING (by the way, you should make sure to
> mention in the docs that PF_RING >= 4.0 is required if you're going to

We'll do that.

> use it).  I quick copied my ET Snort rules over, and everything works
> like a charm!  Plus, it's running on PF_RING and using over 233% CPU
> so the threading is clearly working.  This is a pretty major milestone
> for an IDS to thread like that, so I felt like I should take a screen

The threading is going to be highly configurable, however we haven't
implemented the configuring yet. For those that are brave, hacking
runmodes.c could be interesting.

> shot of top or something.  I haven't played with any of the inline
> options, but all of the straight IDS stuff is working as advertised.
> I'm also very pleased with the straight URL logger, as I've been
> running urlsnarf from dsniff for a long time to log all URL's for
> later analysis.

The http log was really just added to prove to myself how easy that
would be, but I agree it's very useful.

> Initial recommendations from beta testing:
> Config file documentation:  The inline comments were helpful, but I'm
> getting some non-fatal config errors on startup and I don't know how
> to fix them.

Right, we will clean those up.

> Minor new feature request: Configuration for custom log format for
> HTTP log.  I could always just hack the source until then, though.

I've added a ticket for this:

> Feature req: Dropped packets count in stats.log.  I know this is
> tricky to do in a meaningful way, but maybe the new tactic they're
> using for Bro 1.5 (using TCP SEQ integrity checks) could be
> implemented for calculating the number of dropped packets.

Interesting suggestion, thanks. I always hear ppl say that the pcap
stats are pretty useless, but the Bro approach is worth checking out I
guess. Other ideas are welcome!


Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list