[Oisf-users] Eve logging and http headers

Christophe Vandeplas christophe at vandeplas.com
Thu Jul 31 08:30:59 UTC 2014

On Tue, Jul 29, 2014 at 6:07 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> Hash: SHA1
> FPC is actually very feasible if you use BPF filters to sample traffic.
>  Peter Manev wrote an excellent blog post on this, which includes some
> of my original research on the topic:
>> http://www.pevma.blogspot.se/2014/06/suricata-idps-getting-best-out-of.html
> The executive summary is that if you sample HTTP traffic you can cut
> your data storage requirements by an order-of-magnitude, at least.

Thanks for the link !
The networks/perimeters I'm on I don't always have a clear view of
what ports are used for what (proxy for example). However with iptraf
it's indeed great to get a better view of what percentage of traffic
passes on what ports.

With this I'm applying negative filtering: not port 445 and not port ...
If I'm not wrong with my interpretation of how the protocol detection
of suricata works, using negative filtering let's me see http traffic
on ports I'm not aware of. (8081 for example)

Filtering indeed works like a charm to get better performance.
Unfortunately in my (current) case it's still too much traffic to save
to the local disks. Hopefully this will change with the new hardware
I'm expecting...


> - -Coop
> On 7/29/2014 12:08 AM, Christophe Vandeplas wrote:
>> Hi Cooper,
>> On Tue, Jul 29, 2014 at 3:51 AM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
>>> This is why indexed full-packet capture is so important.  Very often you
>>> will find you don't know what you should be looking for until after you
>>> are already compromised.
>> We do agree. Unfortunately sometimes FPC is a little further away than
>> you'd/I'd like :-)
>>> If disk space is an issue consider using a dedicated BTRFS partition
>>> with lzop compression enabled for storage.  Headers compress very well!
>> I'll see what I can do once our new IDS hardware arrives. (?end of the year?)
>> Thanks for the feedback.
>> Christophe
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> Ct2YLTWzLoPM5n+870zEET0ZooMMfkCZNCR5OKp3bSmFHgWBBp07+FxbS6gt1LhD
> 6TjrcleIihDwb2/+YQPN8u0hsMYBgnMqoIA+Z06QGqmAwcYCVXX4oYRQcIKjBIZC
> uXtyZi17DEEMSvaLyoD7Ddw1B8HA9c8dZnC18shXYQ0ltwbdsBF/o2QBbm2pis9F
> LkRUs7ff1I2dvvP9D1OvqqPhvGELLeKcX64LPU8A4kr/yVmSPv2k7mjhTnfPMgNo
> gjQOn72e0mK8NjGU7ryqLc3cp7W6BeUvjPP18p1js8i/L1mjXOZ1yJFbwfNU2dY=
> =TWwY

More information about the Oisf-users mailing list