[Oisf-users] A few questions about logging.

Brandon Lattin lattin at umn.edu
Tue Aug 5 21:11:41 UTC 2014 

Yeah, it would definitely fall over well before 10GB. I was only using the
method for initial Suricata alert generation to seed a hand-rolled Splunk
barnyard parsing SIEM project - all of which has since moved to production
hardware.

I hope you get it working, but if not I would suggest an Arista 7150
feeding a Suricata cluster and a Bro cluster, with the Bro cluster using
Time Machine. Of course budget may become an issue.


On Tue, Aug 5, 2014 at 3:49 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> We are a 10Gbe shop so that isn't going to work.  Ideally what I would
> like is to use moloch to index/spool packets after suricata is done
> sampling/processing them and then spool them to an individual disk per
> thread.
>
> - -Coop
>
> On 8/5/2014 1:01 PM, Brandon Lattin wrote:
> > I should mention, this was using a RHEL 6.5 box.
> >
> >
> > On Tue, Aug 5, 2014 at 3:00 PM, Brandon Lattin <lattin at umn.edu
> > <mailto:lattin at umn.edu>> wrote:
> >
> >     Cooper,
> >
> >     I've redirected traffic via tcpdump -> box1 netcat -> box2 netcat
> >     listener -> pipe -> suricata (pretty hackish, I know!)
> >
> >     I remember it working without issue. Not quite the same task, but
> >     perhaps similar enough.
> >
> >     Here's the related commands from my .bash_history
> >
> >     nc -l 10101 > temp.pcap &
> >     /usr/local/bin/suricata -c /usr/local/etc/suricata/suricata.yaml -r
> >     ./temp.pcap &
> >
> >     Suricata remained running as long as the netcat listener was
> >     operational.
> >
> >     Hope this helps!
> >
> >
> >
> >     On Tue, Aug 5, 2014 at 2:30 PM, Cooper F. Nelson <cnelson at ucsd.edu
> >     <mailto:cnelson at ucsd.edu>> wrote:
> >
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJT4UNTAAoJEKIFRYQsa8FWhRMH/iotJB6ic17NjNAWuVWLFzaP
> SIqJeKjVhKtQFsUjUO9uurG4lpZY04PW/2OT4xiJPIPMUI4iGmdoMLcgjlvgUQaR
> FHC8064zi7Bff7XtRErP6+EGxPmdHsl9ry18ol0nkqktDsY3xYBds8ZIsVZIytXX
> gvhV/UHHR+OKSvZFW8d/2MQHdMF8RmVf+4iGWn9ToUAf58oVdoadtvBPVWRYleVJ
> 0PDnJiLtbqS3+CSE5mbSUA0J+BYkfGlR0l8r/px36atIfnDccX2LJrb4iswKNUeR
> Sn529DmY5hOfjS1TaGPsuV29dRD/WeU1Po27yprZl10IonpNXiIP6a5LokPobK0=
> =FyWX
> -----END PGP SIGNATURE-----
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>



-- 
Brandon Lattin
Security Analyst
University of Minnesota - University Information Security
Office: 612-626-6672
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140805/29211090/attachment-0002.html>

More information about the Oisf-users mailing list