[Oisf-users] Suricata, 10k rules, 10Gbit/sec and lots of RAM

Duane Howard duane.security at gmail.com
Mon Dec 7 23:07:13 UTC 2015 

Thanks for the answer Michal! Looking forward to playing with this once we
get a bit more mature in our Suricata deployment.

On Fri, Dec 4, 2015 at 1:20 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 12/4/2015 12:57 PM, Andreas Moe wrote:
> > Copper, when you say that you are sampleing, how much? 1/10, 1/100,
> > 1/200, etc? And the speed, 7Gbit/s is that the network speed before the
> > selection of port 80 and the sampeling, or is this after all this is
> > performed?
>
> It doesn't work like that.  I'll send you details privately.
>
> > - In the case that this speed is before the sub-selection, what is the
> > actual speeds that are being analyzed on sampled port 80 traffic?
>
> Yes this is the raw packet rate and I don't know.  If I had to guess I
> would say maybe 1-2 Gbs.  HTTP is very fat-tailed.
>
> > - In the case that this speed is after the sub-selection, what is the
> > actual speeds that are being sampeld?
>
> This is a hard question to answer I think because suricata does sampling
> itself, via features like the stream tracking depth and the TLS protocol
> analyzer.  So, for example, I'm seeing lots of traffic on port 443 but
> suricata stops analyzing past the handshake.
>
> > Sorry for all the questions, so here is a bonus one, hehe. Have you
> > tried to compare timeperiods of real-time analysis results to playbacked
> > / re-spooled / "suricata -r" pcaps from fullcapture / tcpdump to disk,
> > of the same traffic?
>
> We don't have the ability to record full raw packet captures on our
> current hardware.
>
> > The branch that is being talked about, is this
> "dev-detect-grouping-v170" ?
>
> Yup.
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
>
> iQEcBAEBAgAGBQJWYgOpAAoJEKIFRYQsa8FWMZUH/2sDvWpFCo0vsKP21oGxeT0v
> YEVVf4vel7TMaeFZxB6QBkAOcr8Xw+hf0T6p6sr443mKnjBpMbvZE3+IkjSn3gBb
> he7sjl5fld9GuTD4a4OCG9XiYsXOF0Su2+xmb1A58srpTynw4gORW6cp7FB2sEIw
> zUcFLJ7JizQp/LODq2ekkQz3qw5lQ6smPwiKkOYN4l2nhBmgwmkxNdWPaiiVppM8
> N9YHtqO74WJJS1rYP+mP6TyOL+vQuMdE0QSlrZDGk3skMKjuzWm65YwAFgkJ2EFT
> 15n+M8GzsSJVWCqNpHkJfOtzmfbwwdNDbvP4EfJuBcWJv8+W5JUnmJ3qPXsDIVA=
> =hqGN
> -----END PGP SIGNATURE-----
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151207/0b91aa1b/attachment-0002.html>

More information about the Oisf-users mailing list