[Oisf-users] Working with mirror sampling

Alan Wanderley dos Santos alan.santos at rnp.br
Tue Sep 1 15:02:07 UTC 2015

Hi Rob, 

My hardware characteristics are very simple. We are working with VM, so all resources are shared. Besides, we have some other things running with suricata. For example, some scripts to read logs and send mails for us, some script to get updates from our server and more.... 

We are also worry about the resources of the router. Dulpicate all traffic requires a lot of process. Maybe, this can be a problem. 

I did not do a charge test yet, but i'll do in the nexts weeks. After this, i'll put the results here. 


Alan Santos 
Analista de Segurança 
Centro de Atendimento a Incidentes de Segurança (CAIS) 
Rede Nacional de Ensino e Pesquisa (RNP) 
(19) 3787-3314 | alan.santos at rnp.br 

De: "Rob MacGregor" <rob.macgregor at gmail.com> 
Para: "oisf-users" <oisf-users at openinfosecfoundation.org> 
Enviadas: Terça-feira, 1 de setembro de 2015 6:59:47 
Assunto: Re: [Oisf-users] Working with mirror sampling 

On Mon, Aug 31, 2015 at 9:43 PM Alan Wanderley dos Santos < alan.santos at rnp.br > wrote: 

Hi all, 

I'll use suricata in a backbone with a large amount of data. I'm thinking in put suricata at each aggregation router (5 - 20 Gbps for each router). My problem is the hardware and software limitation. To solve this, i'll use mirror by sampling. JUNOS support this feature. For do that, a denominator will be used (not defined yet). Maybe 1/1000 or 1/2000, i don't know. 

5 Gb/s is not a problem for Suricata with sensible hardware - you'll find a blog post from somebody who's run at just under 10 Gb/s on stock hardware and careful tuning ( https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/ ). 

If you're running a wider set of rules, dedicated capture cards make a massive difference, possibly with some IDS load balancers/packet brokers. With those and some care in your rules, I see no reason why 20 Gb/s wouldn't be achievable. 


Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org 
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/ 
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users 
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150901/362697a7/attachment-0002.html>

More information about the Oisf-users mailing list