[Oisf-users] Eve logging and http headers

[Cooper F. Nelson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

FPC is actually very feasible if you use BPF filters to sample traffic.
 Peter Manev wrote an excellent blog post on this, which includes some
of my original research on the topic:

> http://www.pevma.blogspot.se/2014/06/suricata-idps-getting-best-out-of.html

The executive summary is that if you sample HTTP traffic you can cut
your data storage requirements by an order-of-magnitude, at least.

- -Coop

On 7/29/2014 12:08 AM, Christophe Vandeplas wrote:
> Hi Cooper,
> 
> On Tue, Jul 29, 2014 at 3:51 AM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
>> This is why indexed full-packet capture is so important.  Very often you
>> will find you don't know what you should be looking for until after you
>> are already compromised.
> 
> We do agree. Unfortunately sometimes FPC is a little further away than
> you'd/I'd like :-)
> 
>> If disk space is an issue consider using a dedicated BTRFS partition
>> with lzop compression enabled for storage.  Headers compress very well!
> 
> I'll see what I can do once our new IDS hardware arrives. (?end of the year?)
> 
> Thanks for the feedback.
> 
> Christophe
> 

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJT18a2AAoJEKIFRYQsa8FWjF4H/RmnxIlWi9XBB9OqVLKlbvJe
Ct2YLTWzLoPM5n+870zEET0ZooMMfkCZNCR5OKp3bSmFHgWBBp07+FxbS6gt1LhD
6TjrcleIihDwb2/+YQPN8u0hsMYBgnMqoIA+Z06QGqmAwcYCVXX4oYRQcIKjBIZC
uXtyZi17DEEMSvaLyoD7Ddw1B8HA9c8dZnC18shXYQ0ltwbdsBF/o2QBbm2pis9F
LkRUs7ff1I2dvvP9D1OvqqPhvGELLeKcX64LPU8A4kr/yVmSPv2k7mjhTnfPMgNo
gjQOn72e0mK8NjGU7ryqLc3cp7W6BeUvjPP18p1js8i/L1mjXOZ1yJFbwfNU2dY=
=TWwY
-----END PGP SIGNATURE-----