[Oisf-users] Suricata generating fewer alerts than Snort
Cooper F. Nelson
cnelson at ucsd.edu
Thu Oct 22 18:34:47 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ok, well I don't have any experience running using the pfring mode.
The zero-copy/AF_PACKET mode is supported w/RSS in the default kernel
sources, so I would suggest giving it a try if its an option.
I would also suggest running without rules at first and seeing if you
are still dropping packets. If that's the case there is something wrong
with your base configuration that needs to be addressed first.
- -Coop
On 10/22/2015 11:28 AM, Spransy, Derek wrote:
> Hi Cooper,
>
> Thanks for the suggestions. We're using pfring autofp mode (using ZC
> drivers) rather than AF_Packet, though I could try that
> configuration. RSS is, I believe, disabled in ZC mode. I haven't seen
> a lot of documentation out there about using PF_RING ZC drivers, so
> perhaps I've missed something in that regard.
>
> Also we are using Suricata optimized rules: ** GET
> http://rules.emergingthreatspro.com/<code>/suricata-2.0.9/etpro.rules.tar.gz
> ==> 200 OK (1s)
>
> I disabled NIC offloading features for that interface as well, but it
> doesn't appear to have made any significant difference.
>
> Thanks, Derek
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJWKSxHAAoJEKIFRYQsa8FW8coIAMi9IM0XTmz2Mpbaq1+X+CWQ
WOsIQssIuh+NwwBIjyqOCZx3RW1glf0LGzL2VUqZ/u3L+7Kd2tHtdCYSEj8vKc2M
cN4wE8Q41eaXuiQQU9Gp/y/0HA3K1ZAIyNNSpa9EA7T/9Bpa5TGXMklySigX6Yja
q9jz+T2C65IsD/3+fuZ6wPBI2mEEI+f3cPWaSeegX5cEaBCWxG/BY8MPLuDuKJbN
TyBnyFdqMvlcYUXOqfJffaGk+nFuNLzSr85b2GzZ+XNj6XXg9GR1ak1PEu2esZzS
0HIVI2QI6wivxaQ0545xbfQg8UAHgvSIec7e16pm9a9cSiemYm6NeMKDOODMiuI=
=A0cY
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list