[Oisf-users] Help with good configuration for Suricata install with Napatech card

Victor Julien lists at inliniac.net
Fri Oct 9 16:01:32 UTC 2015

On 09-10-15 17:15, Stephen Castellarin wrote:
> Yes there still is progress to make.  Looking at CPU utilization through
> SAR, for today I'm seeing an average of 88.86 %idle, so they're not
> being overworked.  As far as memory consumption, stats are showing I'm
> using roughly 50gb of 128gb available.  So I know I have plenty of
> breathing room from the hardware's perspective.

One thing to check is how the card does the traffic distributions. You
need to make sure all packets from a flow are delivered to the same
Suricata thread. IIRC napatech cards give you a lot of control there.


> To your point about the rules, I know I've stripped down a whole bunch
> of the ETPRO rules - only sticking with the exploit, malware, scan,
> trojan, current_events, web_server and web_specific_apps rules.  The
> largest number of rules from that list are in the trojan.rules (~9763),
> web_specific_apps.rules (~5603) and current_events.rules(~2505).  When I
> cut down to that list of rule files from the full ETPRO rule list that
> definitely cut out unnecessary stuff for us.  It's going to be real
> tough to dig through the remainder to see what is pertinent to us and
> what isn't.
> On Friday, October 9, 2015 10:32 AM, Rob MacGregor
> <rob.macgregor at gmail.com> wrote:
> On Fri, Oct 9, 2015 at 3:05 PM Stephen Castellarin <castle1126 at yahoo.com
> <mailto:castle1126 at yahoo.com>> wrote:
>     Sorry for the quick reply yeaterday, I forgot to hit Reply All.
>     As for the tuning, I know my current, underpowered Suricata system
>     is missing events, as is my new hardware/configuration.  I base this
>     on some attack traffic I saw from one IP yesterday.  
>     So our configuration is a front end router feeding an inline IPS
>     which then is tapped - one tap to my old Suricata system and the
>     second to my new Suricata system.  From a full take packet capture I
>     see 45 attempts to issue malicious POST attempts to a webserver we
>     have.  My original Suricata system triggered on 10 of those while my
>     new Suricata triggered on 15.  I then took the pcap I extracted and
>     ran it through Suricata on the new system and that system showed it
>     trigger on all 45.  So that's giving me a feeling that I'm not
>     tuning something correct - causing the running Suricata to miss things.
> So, things are improving but there's still progress to make?
> I'd look at things like CPU and RAM usage - are you maxing out your
> Also, really look at those rules, are they really all relevant to your
> network? Also, if you strip it down to just the rules that'd catch those
> POST attempts, does it fire for every event?
> -- 
>  Rob 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list