[Oisf-users] Suricata Logs
Cooper F. Nelson
cnelson at ucsd.edu
Mon Jul 27 21:45:30 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 7/27/2015 2:17 PM, Andreas Moe wrote:
> Having around 500k to 1,000k events per day (seeing that you are
> repetadly saing you are San Diegos largest employer) is not alot my dear
> freind. Thats around 5,7 to 11,5 events per second? Not realy touching
> the limits of what either ELK or Splunk have in mind.
The alerts are rate-shaped and we don't (can't, actually) log http, dns,
etc. The primary value of an IDS are still the logs generated from
signature alerts.
> My trail of though was that, if a person has 20 suricata sensors, in
> different networks, with optimal tuning, and many loging solutions. Well
> if they only get 5-10 events per second, something is wrong. Hence, they
> should be planning for hundreds to some thousands events per second. And
> in that case, email will not simply work. How the hell are you going to
> correlate/aggregate similar events? Effectivly filter out alerts /
> domains / IPs / URIs without having to update homebrew-style scripts on
> every single sensor?
If you want to do something like that you should probably look into a
commercial solution. Here are a few I've heard good things about:
https://www.aanval.com/
https://www.threatstream.com/
Btw, it's trivial to manage multiple sensors using something like
puppet, NFS or even rsync. You can also run logstash on every sensor
and send the alerts to a centralized elasticsearch cluster.
If you had beefy enough sensors you could even run elasticsearch on
every sensor and make a full meshed topology:
https://www.found.no/foundation/elasticsearch-networking/
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJVtqZ5AAoJEKIFRYQsa8FWXo4H/iHRHQTSBrGNnmL6r5ZbGOAm
72eJqp9goCTkfccQbZK2jie+G2vl8Hh1mJ97mcjwpojxD+LJPOqA6eNXJOFEDUNR
Z1dWavkTTXMe/iVl+3kt4zTjKXn9zHJB0YkpbDoCz1lto0uSZwOx9y/e9CpBsCHz
3qUro9e0mgsSEwRWLeXFgyzjYTjr0MsLVjvuTJdNiqjRJuyxpsA4Afsr+LuRaE0+
hGTAkmwSbIzZmyKDK4uWJeUPW7wxhS3fHDCzmMnliA2TKKbmC/A5qe5O58Sy5VS6
lNBRD8HHch06XZOeWDpyQsvE6S/xwYDe+S0GLKCSz4HJAFv7RsGwhw12cM9yf+Q=
=b6gf
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list