[Oisf-users] Help with good configuration for Suricata install with Napatech card
Stephen Castellarin
castle1126 at yahoo.com
Fri Oct 9 14:01:43 UTC 2015
| Sorry for the quick reply yeaterday, I forgot to hit Reply All.
As for the tuning, I know my current, underpowered Suricata system is missing events, as is my new hardware/configuration. I base this on some attack traffic I saw from one IP yesterday.
So our configuration is a front end router feeding an inline IPS which then is tapped - one tap to my old Suricata system and the second to my new Suricata system. From a full take packet capture I see 45 attempts to issue malicious POST attempts to a webserver we have. My original Suricata system triggered on 10 of those while my new Suricata triggered on 15. I then took the pcap I extracted and ran it through Suricata on the new system and that system showed it trigger on all 45. So that's giving me a feeling that I'm not tuning something correct - causing the running Suricata to miss things.
| From:"Rob MacGregor" <rob.macgregor at gmail.com>
Date:Fri, Oct 9, 2015 at 5:14 AM
Subject:Re: [Oisf-users] Help with good configuration for Suricata install with Napatech card
On Thu, Oct 8, 2015 at 10:50 PM Stephen Castellarin <castle1126 at yahoo.com> wrote:
Hey Rob,
Don't forget to include the list ;)
Right now Suricata is configured for autofp. The ntservice.ini is the default that came out of the driver install. As for packet loss I know previously that with a 1Gb ethernet card I know that our tap infrastructure kept alerting that we were over-subscribing on the amount of traffic hitting the Suricata port. It's hard to quantify what the packet loss on the current production system is - every time I run an ifconfig on that interface the dropped count continues to rise at a good clip. Running "monitoring" on the new server shows 0 fragments, collisions, drop events or crc/align errors.
Hmmm, my Napatech install doesn't show up as an interface, so I can't cross-check that. However, if the monitoring tool isn't reporting packet loss, that's a good sign.
So, what do you expect/want to get "tuned up"?
Also, are you really sure those 24K rules are relevant? That's quite a large ruleset...
-- Rob |
|
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151009/6cd56abc/attachment.html>
More information about the Oisf-users
mailing list