[Oisf-users] Working with mirror sampling

Andreas Moe moe.andreas at gmail.com
Tue Sep 1 05:15:14 UTC 2015

Just thinking out loud here. But from a security standpoint (and for
example if i was the manager / customer of this network), i would not at
all be comfertable with your detection capability if you are only sampling
the network traffic. Looking at so few events will make you see only a
fraction of incidents, and so on.

If this is "all you can get", then it is better than nothing, but i would
advise you to revisit your hardware limitations.

When it comes to running suricata from a mirror sample, i think you would
meet alot of issues. Missing ACKs, incomplete sessions, random resets, and
so on. Sampling is much more usefull, and intended for netflow analysis.

But then again, it would be cool to hear and see your resultat :)

---------- Forwarded message ---------
From: Alan Wanderley dos Santos <alan.santos at rnp.br>
Date: man. 31. aug. 2015, 22.43
Subject: [Oisf-users] Working with mirror sampling
To: <oisf-users at openinfosecfoundation.org>

Hi all,

I'll use suricata in a backbone with a large amount of data. I'm thinking
in put suricata at each aggregation router (5 - 20 Gbps for each router).
My problem is the hardware and software limitation. To solve this, i'll use
mirror by sampling. JUNOS support this feature. For do that, a denominator
will be used (not defined yet). Maybe 1/1000 or 1/2000, i don't know.

Other option, for a better coverage, i'll test mirror only the first 120
bytes that each packet (i don't need that all 1500 bytes of packet for
identify a new).

So, the questions are:

Does someone uses suricata with in mirror sampling mode? It's works?

Does anyone have experience with mirror parts of a packet (first $x bytes)?

Best Regards,


Alan Santos
Analista de Segurança
Centro de Atendimento a Incidentes de Segurança (CAIS)
Rede Nacional de Ensino e Pesquisa (RNP)
(19) 3787-3314 | alan.santos at rnp.br
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150901/68fe1402/attachment.html>

More information about the Oisf-users mailing list