[Oisf-users] Working with mirror sampling

Alan Wanderley dos Santos alan.santos at rnp.br
Tue Sep 1 14:33:04 UTC 2015


About the detection capability, we really have a problem. Today, we have nothing, so, if better than nothing. Of course, we are looking for the best solution with our resources. 

Until next weeks i'll do some test e put the results here :) 

Thanks 

Best Regards, 

----------------------------------------------- 
Alan Santos 
Analista de Segurança 
Centro de Atendimento a Incidentes de Segurança (CAIS) 
Rede Nacional de Ensino e Pesquisa (RNP) 
(19) 3787-3314 | alan.santos at rnp.br 


De: "Andreas Moe" <moe.andreas at gmail.com> 
Para: "oisf-users" <oisf-users at openinfosecfoundation.org> 
Enviadas: Terça-feira, 1 de setembro de 2015 2:15:14 
Assunto: Re: [Oisf-users] Working with mirror sampling 



Just thinking out loud here. But from a security standpoint (and for example if i was the manager / customer of this network), i would not at all be comfertable with your detection capability if you are only sampling the network traffic. Looking at so few events will make you see only a fraction of incidents, and so on. 

If this is "all you can get", then it is better than nothing, but i would advise you to revisit your hardware limitations. 

When it comes to running suricata from a mirror sample, i think you would meet alot of issues. Missing ACKs, incomplete sessions, random resets, and so on. Sampling is much more usefull, and intended for netflow analysis. 

But then again, it would be cool to hear and see your resultat :) 
---------- Forwarded message --------- 
From: Alan Wanderley dos Santos < alan.santos at rnp.br > 
Date: man. 31. aug. 2015, 22.43 
Subject: [Oisf-users] Working with mirror sampling 
To: < oisf-users at openinfosecfoundation.org > 


Hi all, 

I'll use suricata in a backbone with a large amount of data. I'm thinking in put suricata at each aggregation router (5 - 20 Gbps for each router). My problem is the hardware and software limitation. To solve this, i'll use mirror by sampling. JUNOS support this feature. For do that, a denominator will be used (not defined yet). Maybe 1/1000 or 1/2000, i don't know. 

Other option, for a better coverage, i'll test mirror only the first 120 bytes that each packet (i don't need that all 1500 bytes of packet for identify a new). 

So, the questions are: 

Does someone uses suricata with in mirror sampling mode? It's works? 

Does anyone have experience with mirror parts of a packet (first $x bytes)? 

Best Regards, 

att, 


----------------------------------------------- 
Alan Santos 
Analista de Segurança 
Centro de Atendimento a Incidentes de Segurança (CAIS) 
Rede Nacional de Ensino e Pesquisa (RNP) 
(19) 3787-3314 | alan.santos at rnp.br 
_______________________________________________ 
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org 
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/ 
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users 
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net 

_______________________________________________ 
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org 
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/ 
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users 
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150901/9e59a61e/attachment-0002.html>


More information about the Oisf-users mailing list