[Oisf-users] Working with mirror sampling

Alan Wanderley dos Santos alan.santos at rnp.br
Tue Sep 1 14:03:56 UTC 2015 

Hi Chris,

Thank you by the advice.

I sayed 120 bytes, but i don't have this denominator yet (sorry for that). 120 was a guess, but, after your advice i'll think about get full package. Do the sampling was a attempt of increment our detection capability. But, increment the number of packets and downgrade de accuracy is a bad idea.

Best Regards,

-----------------------------------------------
Alan Santos
Analista de Segurança
Centro de Atendimento a Incidentes de Segurança (CAIS)
Rede Nacional de Ensino e Pesquisa (RNP)
(19) 3787-3314 | alan.santos at rnp.br

----- Mensagem original -----
De: "Chris Wakelin" <cwakelin at emergingthreats.net>
Para: oisf-users at lists.openinfosecfoundation.org
Enviadas: Terça-feira, 1 de setembro de 2015 4:43:36
Assunto: Re: [Oisf-users] Working with mirror sampling

120 bytes of a packet won't even get you the URL in a HTTP request most
of the time, let alone anything to match in a response. Most rules in
the Emerging Threats ruleset will probably fail to match anything in
these circumstances. If you use full(er) packets, and sample, then you
may be lucky and spot "noisy" botnets that make lots of connections etc.

Best Wishes,
Chris

On 01/09/15 06:15, Andreas Moe wrote:
> Just thinking out loud here. But from a security standpoint (and for
> example if i was the manager / customer of this network), i would not at
> all be comfertable with your detection capability if you are only sampling
> the network traffic. Looking at so few events will make you see only a
> fraction of incidents, and so on.
> 
> If this is "all you can get", then it is better than nothing, but i would
> advise you to revisit your hardware limitations.
> 
> When it comes to running suricata from a mirror sample, i think you would
> meet alot of issues. Missing ACKs, incomplete sessions, random resets, and
> so on. Sampling is much more usefull, and intended for netflow analysis.
> 
> But then again, it would be cool to hear and see your resultat :)
> 
> ---------- Forwarded message ---------
> From: Alan Wanderley dos Santos <alan.santos at rnp.br>
> Date: man. 31. aug. 2015, 22.43
> Subject: [Oisf-users] Working with mirror sampling
> To: <oisf-users at openinfosecfoundation.org>
> 
> 
> Hi all,
> 
> I'll use suricata in a backbone with a large amount of data. I'm thinking
> in put suricata at each aggregation router (5 - 20 Gbps for each router).
> My problem is the hardware and software limitation. To solve this, i'll use
> mirror by sampling. JUNOS support this feature. For do that, a denominator
> will be used (not defined yet). Maybe 1/1000 or 1/2000, i don't know.
> 
> Other option, for a better coverage, i'll test mirror only the first 120
> bytes that each packet (i don't need that all 1500 bytes of packet for
> identify a new).
> 
> So, the questions are:
> 
> Does someone uses suricata with in mirror sampling mode? It's works?
> 
> Does anyone have experience with mirror parts of a packet (first $x bytes)?
> 
> Best Regards,
> 
> att,
> 
> 
> -----------------------------------------------
> Alan Santos
> Analista de Segurança
> Centro de Atendimento a Incidentes de Segurança (CAIS)
> Rede Nacional de Ensino e Pesquisa (RNP)
> (19) 3787-3314 | alan.santos at rnp.br
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
> 
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net

More information about the Oisf-users mailing list