[Oisf-users] Help with good configuration for Suricata install with Napatech card
Stephen Castellarin
castle1126 at yahoo.com
Fri Oct 9 15:15:37 UTC 2015
Yes there still is progress to make. Looking at CPU utilization through SAR, for today I'm seeing an average of 88.86 %idle, so they're not being overworked. As far as memory consumption, stats are showing I'm using roughly 50gb of 128gb available. So I know I have plenty of breathing room from the hardware's perspective.
To your point about the rules, I know I've stripped down a whole bunch of the ETPRO rules - only sticking with the exploit, malware, scan, trojan, current_events, web_server and web_specific_apps rules. The largest number of rules from that list are in the trojan.rules (~9763), web_specific_apps.rules (~5603) and current_events.rules(~2505). When I cut down to that list of rule files from the full ETPRO rule list that definitely cut out unnecessary stuff for us. It's going to be real tough to dig through the remainder to see what is pertinent to us and what isn't.
On Friday, October 9, 2015 10:32 AM, Rob MacGregor <rob.macgregor at gmail.com> wrote:
On Fri, Oct 9, 2015 at 3:05 PM Stephen Castellarin <castle1126 at yahoo.com> wrote:
| Sorry for the quick reply yeaterday, I forgot to hit Reply All.
As for the tuning, I know my current, underpowered Suricata system is missing events, as is my new hardware/configuration. I base this on some attack traffic I saw from one IP yesterday.
So our configuration is a front end router feeding an inline IPS which then is tapped - one tap to my old Suricata system and the second to my new Suricata system. From a full take packet capture I see 45 attempts to issue malicious POST attempts to a webserver we have. My original Suricata system triggered on 10 of those while my new Suricata triggered on 15. I then took the pcap I extracted and ran it through Suricata on the new system and that system showed it trigger on all 45. So that's giving me a feeling that I'm not tuning something correct - causing the running Suricata to miss things. |
So, things are improving but there's still progress to make?
I'd look at things like CPU and RAM usage - are you maxing out your CPUs/RAM?
Also, really look at those rules, are they really all relevant to your network? Also, if you strip it down to just the rules that'd catch those POST attempts, does it fire for every event?
-- Rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151009/960e45dc/attachment-0002.html>
More information about the Oisf-users
mailing list