[Oisf-users] Help with good configuration for Suricata install with Napatech card

Stephen Castellarin castle1126 at yahoo.com
Fri Oct 9 14:01:43 UTC 2015

| Sorry for the quick reply yeaterday, I forgot to hit Reply All.
As for the tuning, I know my current, underpowered Suricata system is missing events, as is my new hardware/configuration.  I base this on some attack traffic I saw from one IP yesterday.  
So our configuration is a front end router feeding an inline IPS which then is tapped - one tap to my old Suricata system and the second to my new Suricata system.  From a full take packet capture I see 45 attempts to issue malicious POST attempts to a webserver we have.  My original Suricata system triggered on 10 of those while my new Suricata triggered on 15.  I then took the pcap I extracted and ran it through Suricata on the new system and that system showed it trigger on all 45.  So that's giving me a feeling that I'm not tuning something correct - causing the running Suricata to miss things. 
|  From:"Rob MacGregor" <rob.macgregor at gmail.com>
Date:Fri, Oct 9, 2015 at 5:14 AM
Subject:Re: [Oisf-users] Help with good configuration for Suricata install with Napatech card


On Thu, Oct 8, 2015 at 10:50 PM Stephen Castellarin <castle1126 at yahoo.com> wrote:

Hey Rob,

 Don't forget to include the list ;)

Right now Suricata is configured for autofp.  The ntservice.ini is the default that came out of the driver install.  As for packet loss I know previously that with a 1Gb ethernet card I know that our tap infrastructure kept alerting that we were over-subscribing on the amount of traffic hitting the Suricata port.  It's hard to quantify what the packet loss on the current production system is - every time I run an ifconfig on that interface the dropped count continues to rise at a good clip.  Running "monitoring" on the new server shows 0 fragments, collisions, drop events or crc/align errors.

Hmmm, my Napatech install doesn't show up as an interface, so I can't cross-check that. However, if the monitoring tool isn't reporting packet loss, that's a good sign.
So, what do you expect/want to get "tuned up"?
Also, are you really sure those 24K rules are relevant? That's quite a large ruleset...
--  Rob  |


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151009/6cd56abc/attachment.html>

More information about the Oisf-users mailing list