[Oisf-users] Working with mirror sampling
Alan Wanderley dos Santos
alan.santos at rnp.br
Mon Aug 31 20:43:49 UTC 2015
Hi all,
I'll use suricata in a backbone with a large amount of data. I'm thinking in put suricata at each aggregation router (5 - 20 Gbps for each router). My problem is the hardware and software limitation. To solve this, i'll use mirror by sampling. JUNOS support this feature. For do that, a denominator will be used (not defined yet). Maybe 1/1000 or 1/2000, i don't know.
Other option, for a better coverage, i'll test mirror only the first 120 bytes that each packet (i don't need that all 1500 bytes of packet for identify a new).
So, the questions are:
Does someone uses suricata with in mirror sampling mode? It's works?
Does anyone have experience with mirror parts of a packet (first $x bytes)?
Best Regards,
att,
-----------------------------------------------
Alan Santos
Analista de Segurança
Centro de Atendimento a Incidentes de Segurança (CAIS)
Rede Nacional de Ensino e Pesquisa (RNP)
(19) 3787-3314 | alan.santos at rnp.br
More information about the Oisf-users
mailing list