[Oisf-users] A few questions about logging.

Cooper F. Nelson cnelson at ucsd.edu
Tue Aug 5 21:55:31 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Well, the issue is we are moving to an Arista switch feeding a 64 core,
40 Gbe sensor, so I really need an indexed packet capture process that
is either multi-threaded (bro and moloch are not); or a way to
post-process packets from suricata, which is my preferred solution.

I just realized a great solution would be to use the approach barnyard
does and have the indexer use a spool directory and asynchronously index
the files as they are written.  This fixes the issue with the buffering
and indexing delays.

I'll look if there are any FPC solutions out there that already do this,
but I don't think there are.

- -Coop

On 8/5/2014 2:11 PM, Brandon Lattin wrote:
> Yeah, it would definitely fall over well before 10GB. I was only using
> the method for initial Suricata alert generation to seed a hand-rolled
> Splunk barnyard parsing SIEM project - all of which has since moved to
> production hardware.
> 
> I hope you get it working, but if not I would suggest an Arista 7150
> feeding a Suricata cluster and a Bro cluster, with the Bro cluster using
> Time Machine. Of course budget may become an issue.
> 
> 
> On Tue, Aug 5, 2014 at 3:49 PM, Cooper F. Nelson <cnelson at ucsd.edu
> <mailto:cnelson at ucsd.edu>> wrote:
> 
> We are a 10Gbe shop so that isn't going to work.  Ideally what I would
> like is to use moloch to index/spool packets after suricata is done
> sampling/processing them and then spool them to an individual disk per
> thread.
> 
> -Coop
> 

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJT4VLTAAoJEKIFRYQsa8FWfKMIAMKF0y41gUSUJa9QNivailS8
6HqR+iXuaGDAc5Vmq1GMvk+MixnonmpuhNiqUCC9oZetwUOG2PpAfE64o76yog+N
xa5E5S3StN3qG8vQh9bZa9FFzbEW24Y5yM9LIg7mepIgxp20JNW8eoBRHTDM/aSj
v0kZeGFGX4fJm4XxTH5Q4X3/kKtOrL/X78iIV2ANmeC/llQgyDUHqlNTLL7qbY2m
ts+846qqpWvy5rjVWbuJ2cDzZnhbhI/+c2RS47igMPmq5FHoUCDME580YoU1RMGG
XmAvFANBo8xaFL0q0IWD2Q58W8UPDsQXjFWfPYTI00C/uFqqb1ZwyN5s9/K6+jA=
=V2cI
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list