[Oisf-users] Suricata, 10k rules, 10Gbit/sec and lots of RAM

Cooper F. Nelson cnelson at ucsd.edu
Fri Dec 4 21:20:41 UTC 2015

Hash: SHA1

On 12/4/2015 12:57 PM, Andreas Moe wrote:
> Copper, when you say that you are sampleing, how much? 1/10, 1/100,
> 1/200, etc? And the speed, 7Gbit/s is that the network speed before the
> selection of port 80 and the sampeling, or is this after all this is
> performed?

It doesn't work like that.  I'll send you details privately.

> - In the case that this speed is before the sub-selection, what is the
> actual speeds that are being analyzed on sampled port 80 traffic?

Yes this is the raw packet rate and I don't know.  If I had to guess I
would say maybe 1-2 Gbs.  HTTP is very fat-tailed.

> - In the case that this speed is after the sub-selection, what is the
> actual speeds that are being sampeld?

This is a hard question to answer I think because suricata does sampling
itself, via features like the stream tracking depth and the TLS protocol
analyzer.  So, for example, I'm seeing lots of traffic on port 443 but
suricata stops analyzing past the handshake.

> Sorry for all the questions, so here is a bonus one, hehe. Have you
> tried to compare timeperiods of real-time analysis results to playbacked
> / re-spooled / "suricata -r" pcaps from fullcapture / tcpdump to disk,
> of the same traffic?

We don't have the ability to record full raw packet captures on our
current hardware.

> The branch that is being talked about, is this "dev-detect-grouping-v170" ?


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)


More information about the Oisf-users mailing list