[Oisf-users] Working with mirror sampling
Rob MacGregor
rob.macgregor at gmail.com
Tue Sep 1 09:59:47 UTC 2015
On Mon, Aug 31, 2015 at 9:43 PM Alan Wanderley dos Santos <
alan.santos at rnp.br> wrote:
> Hi all,
>
> I'll use suricata in a backbone with a large amount of data. I'm thinking
> in put suricata at each aggregation router (5 - 20 Gbps for each router).
> My problem is the hardware and software limitation. To solve this, i'll use
> mirror by sampling. JUNOS support this feature. For do that, a denominator
> will be used (not defined yet). Maybe 1/1000 or 1/2000, i don't know.
>
5 Gb/s is not a problem for Suricata with sensible hardware - you'll find a
blog post from somebody who's run at just under 10 Gb/s on stock hardware
and careful tuning (
https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/).
If you're running a wider set of rules, dedicated capture cards make a
massive difference, possibly with some IDS load balancers/packet brokers.
With those and some care in your rules, I see no reason why 20 Gb/s
wouldn't be achievable.
--
Rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150901/cdb48f0a/attachment-0002.html>
More information about the Oisf-users
mailing list