[Oisf-users] Working with mirror sampling

Cooper F. Nelson cnelson at ucsd.edu
Tue Sep 1 15:38:17 UTC 2015

Hash: SHA1

As mentioned, sampling packets will break suricata, as it will cause every IP packet larger than 120 bytes to have a bad checksum.

There are lots of ways to filter what traffic is sent to the suricata process.  The most common ones are documented here:

> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ignoring_Traffic

Consider filtering top-talkers like streaming video sites, particularly if your ISP has Google/Netflix caches.

If you really want to actually sample traffic, a much better process is to sample flows vs. packets.  For example, this bpf filter will sample port 80 TCP flows:

> (not tcp src port 80 or (tcp src port 80 and ((tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450))))

... recording all client packets, server HTTP headers and SYN/FIN packets.  The 'fat tail' of the HTTP session will be discarded, however.  Keep in mind this will trigger HTTP decoder errors if you have those enabled. 

- -Coop

On 9/1/2015 7:03 AM, Alan Wanderley dos Santos wrote:
> Hi Chris,
> Thank you by the advice.
> I sayed 120 bytes, but i don't have this denominator yet (sorry for
> that). 120 was a guess, but, after your advice i'll think about get
> full package. Do the sampling was a attempt of increment our
> detection capability. But, increment the number of packets and
> downgrade de accuracy is a bad idea.
> Best Regards,

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)


More information about the Oisf-users mailing list