[Oisf-users] Working with mirror sampling

Cooper F. Nelson cnelson at ucsd.edu
Tue Sep 1 15:38:17 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As mentioned, sampling packets will break suricata, as it will cause every IP packet larger than 120 bytes to have a bad checksum.

There are lots of ways to filter what traffic is sent to the suricata process.  The most common ones are documented here:

> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ignoring_Traffic

Consider filtering top-talkers like streaming video sites, particularly if your ISP has Google/Netflix caches.

If you really want to actually sample traffic, a much better process is to sample flows vs. packets.  For example, this bpf filter will sample port 80 TCP flows:

> (not tcp src port 80 or (tcp src port 80 and ((tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450))))

... recording all client packets, server HTTP headers and SYN/FIN packets.  The 'fat tail' of the HTTP session will be discarded, however.  Keep in mind this will trigger HTTP decoder errors if you have those enabled. 

- -Coop

On 9/1/2015 7:03 AM, Alan Wanderley dos Santos wrote:
> Hi Chris,
> 
> Thank you by the advice.
> 
> I sayed 120 bytes, but i don't have this denominator yet (sorry for
> that). 120 was a guess, but, after your advice i'll think about get
> full package. Do the sampling was a attempt of increment our
> detection capability. But, increment the number of packets and
> downgrade de accuracy is a bad idea.
> 
> Best Regards,


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJV5cZpAAoJEKIFRYQsa8FWdoIIAM/nHgw9TlL+/celQqrdRoG1
WukYTrpoDYznJJmZ88sjZp9ZTa9J0MJsYXOO7wu5vIYuoSm1mA/N5q2WIreSCLUH
cQtCr1FholnDFVMPM/8ktB39IsHQ2/C+00CI121deXrxpm8fBVEndfeYcqW/ID1C
pfISlWepAR0ZSgk85zPNEMuDXCx86ANQQf3Zt8hcgrYZGP+TJEVWVmTisOyZe404
xHKRKkTugD1pn5huNGsMhDejJO1aPoIFFBGGSh46zmB8VMXS4b/6TM0CShANgRHu
xCziGI/NwdU68qXjNvUCkF6fsY/RHZutu3HfwpskHPTBY7DHKk5jVolPTess/Tg=
=wBD4
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list