[Oisf-users] Rule Sets
Cooper F. Nelson
cnelson at ucsd.edu
Sat Mar 15 22:14:05 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
17k rules
16 cores
~5Gbit average
If I remember correctly, recommended sizing is 1 core per 50 mbit of
traffic.
I'm "cheating" a bit by aggressively sampling IP traffic via BPF
filters. If you want to try that I"ll suggest starting by sampling HTTP
traffic if you don't care about the body of the server response.
You can do that via this bpf filter expression:
> (not tcp port 80 or (tcp dst port 80 or (tcp src port 80 and (tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450))))
Another thing to try is to run suricata without any rules to make sure
its processing packets/flows correctly.
- -Coop
On 3/14/2014 7:39 PM, Adnan Baykal wrote:
> Can you guys tell me how many rules are you loading into your Suricata
> Instance and what kind of hardware (CPU/Memory) and how much traffic are
> you monitoring?
>
> I have a 6 core single CPU with 16GB ram - if I am monitoring a 600MB/s
> throughput network, how many rules should I be able to load and process?
>
> my nic is not dropping a single packet, however, when I load about 13K
> rules, all the threads are 100% and suricata kernel packet drop goes over
> 50%. I am trying to figure out if it is my hardware setup or tuning of
> suricata that is the problem. (I am running PF_RING)
>
> any info and help is appreciated.
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTJNCtAAoJEKIFRYQsa8FWhUIIAKAIjOw7E+kCqTl9DLYkbDeB
KccD824LCfPRnJikKMSUkfgYIoYu8jPIJryjKsPFAsRSXtYmCgS6womh9gaLm4mm
te2bjy8OnU4wpbaPGPpXFMTo6oPpZmJWIZ36BDdu4mhio8kttzV/VejrlqBKy/dw
RDaxnZzkYdWJuTlIi/6e15cH+WnSh19zEz3bQcY6JoCT0Y5YktotQcsjmWfd5iHr
ZOxma/alYBHUJymVc1CasX9f63GMHSNTBwrdhi+ZHjnmuaS/Wa2Aw6WQWzHflVCV
7jFdqVIOVzgbtYbHC1WzExPy72gdKTHu/LVYQicAuYzvUpaTiBr/pxtorBiNga8=
=lKqx
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list