[Oisf-users] Working with mirror sampling

Chris Wakelin cwakelin at emergingthreats.net
Tue Sep 1 07:43:36 UTC 2015


120 bytes of a packet won't even get you the URL in a HTTP request most
of the time, let alone anything to match in a response. Most rules in
the Emerging Threats ruleset will probably fail to match anything in
these circumstances. If you use full(er) packets, and sample, then you
may be lucky and spot "noisy" botnets that make lots of connections etc.

Best Wishes,
Chris

On 01/09/15 06:15, Andreas Moe wrote:
> Just thinking out loud here. But from a security standpoint (and for
> example if i was the manager / customer of this network), i would not at
> all be comfertable with your detection capability if you are only sampling
> the network traffic. Looking at so few events will make you see only a
> fraction of incidents, and so on.
> 
> If this is "all you can get", then it is better than nothing, but i would
> advise you to revisit your hardware limitations.
> 
> When it comes to running suricata from a mirror sample, i think you would
> meet alot of issues. Missing ACKs, incomplete sessions, random resets, and
> so on. Sampling is much more usefull, and intended for netflow analysis.
> 
> But then again, it would be cool to hear and see your resultat :)
> 
> ---------- Forwarded message ---------
> From: Alan Wanderley dos Santos <alan.santos at rnp.br>
> Date: man. 31. aug. 2015, 22.43
> Subject: [Oisf-users] Working with mirror sampling
> To: <oisf-users at openinfosecfoundation.org>
> 
> 
> Hi all,
> 
> I'll use suricata in a backbone with a large amount of data. I'm thinking
> in put suricata at each aggregation router (5 - 20 Gbps for each router).
> My problem is the hardware and software limitation. To solve this, i'll use
> mirror by sampling. JUNOS support this feature. For do that, a denominator
> will be used (not defined yet). Maybe 1/1000 or 1/2000, i don't know.
> 
> Other option, for a better coverage, i'll test mirror only the first 120
> bytes that each packet (i don't need that all 1500 bytes of packet for
> identify a new).
> 
> So, the questions are:
> 
> Does someone uses suricata with in mirror sampling mode? It's works?
> 
> Does anyone have experience with mirror parts of a packet (first $x bytes)?
> 
> Best Regards,
> 
> att,
> 
> 
> -----------------------------------------------
> Alan Santos
> Analista de Seguran├ža
> Centro de Atendimento a Incidentes de Seguran├ža (CAIS)
> Rede Nacional de Ensino e Pesquisa (RNP)
> (19) 3787-3314 | alan.santos at rnp.br
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
> 



More information about the Oisf-users mailing list