[Oisf-users] Suricata, 10k rules, 10Gbit/sec and lots of RAM

Cooper F. Nelson cnelson at ucsd.edu
Fri Dec 4 21:20:41 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/4/2015 12:57 PM, Andreas Moe wrote:
> Copper, when you say that you are sampleing, how much? 1/10, 1/100,
> 1/200, etc? And the speed, 7Gbit/s is that the network speed before the
> selection of port 80 and the sampeling, or is this after all this is
> performed?

It doesn't work like that.  I'll send you details privately.

> - In the case that this speed is before the sub-selection, what is the
> actual speeds that are being analyzed on sampled port 80 traffic?

Yes this is the raw packet rate and I don't know.  If I had to guess I
would say maybe 1-2 Gbs.  HTTP is very fat-tailed.

> - In the case that this speed is after the sub-selection, what is the
> actual speeds that are being sampeld?

This is a hard question to answer I think because suricata does sampling
itself, via features like the stream tracking depth and the TLS protocol
analyzer.  So, for example, I'm seeing lots of traffic on port 443 but
suricata stops analyzing past the handshake.

> Sorry for all the questions, so here is a bonus one, hehe. Have you
> tried to compare timeperiods of real-time analysis results to playbacked
> / re-spooled / "suricata -r" pcaps from fullcapture / tcpdump to disk,
> of the same traffic?

We don't have the ability to record full raw packet captures on our
current hardware.

> The branch that is being talked about, is this "dev-detect-grouping-v170" ?

Yup.

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJWYgOpAAoJEKIFRYQsa8FWMZUH/2sDvWpFCo0vsKP21oGxeT0v
YEVVf4vel7TMaeFZxB6QBkAOcr8Xw+hf0T6p6sr443mKnjBpMbvZE3+IkjSn3gBb
he7sjl5fld9GuTD4a4OCG9XiYsXOF0Su2+xmb1A58srpTynw4gORW6cp7FB2sEIw
zUcFLJ7JizQp/LODq2ekkQz3qw5lQ6smPwiKkOYN4l2nhBmgwmkxNdWPaiiVppM8
N9YHtqO74WJJS1rYP+mP6TyOL+vQuMdE0QSlrZDGk3skMKjuzWm65YwAFgkJ2EFT
15n+M8GzsSJVWCqNpHkJfOtzmfbwwdNDbvP4EfJuBcWJv8+W5JUnmJ3qPXsDIVA=
=hqGN
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list