[Oisf-users] Alternatives to ET Pro?

Cooper F. Nelson cnelson at ucsd.edu
Tue Feb 9 17:34:57 UTC 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We are in the same boat and addressed our performance issues with some
simple tuning.

First off, consider filtering out top-talkers via bpf filters,
particularly your ISP's CDN vlan (akamai and netflix).  As well as local
google/youtube caches if you have them.  Filtering out HD video will
double your performance, easily.

You can find top-talkers on the command line with this script, just
replace the '-i eth2' with your NIC.

> #!/bin/bash
> 
> sudo tcpdump -tnn -c 100000 -i eth2 | awk -F "." '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -nr | awk ' $1 > 100 '


Also, as mentioned, consider migrating to either the 3.0 or the high
performance branch:

> https://github.com/inliniac/suricata/tree/dev-detect-grouping-v174

The performance is way better.  Building from source and setting your
CFLAGS to '-O3' will also reduce packet drops by a few %.

Will, you guys are doing a great job and suricata+ETPRO is easily the
best value security product on the market!

- -Coop

On 2/9/2016 8:56 AM, Brandon Lattin wrote:
> We've been happy with ET for year, but we have noticed an increase in
> the number of rules we've had to disable due to unreasonably high
> percentages of CPU time. We do profile on a large sample set (~7Gbps for
> 10 minutes) daily. I have no doubt that you guys do your best testing,
> but we have a large network with a lot of students and researchers doing
> some very weird things. We get that it's as much an art as it is a science.
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJWuiNBAAoJEKIFRYQsa8FWm1sH/2BnTyJmjYPzXe7luFozW3R5
poRmCOhkX/E806j/ToQBBACAzH6rG0xacndXdvQpyhsMObs7mN36zFR5wAJfQfPn
+JmfLL2OXQWRk3jr6gfHkkB/NhNPgAzhewRxpIA1DV/I0YuHYxRcTHWwK+0u99iR
h6x41kSsllQk/UsvVacoR/h0Y8Di24CNtbwOqy0Bl35tFgPqvk2af1toAEVhHk6l
Gjvqcsr5Xm2mSpsoxLvtBfLwPqpNU/ZXu95oqbVu/Bb8yzqLeQt3jgQyGhFp2tfn
xbfHGj4gu0+N6QUxSXIQVLZFDPfLTZkoswSjc/ate1TC4rvB7y2CwaNY4gpooDA=
=A4vF
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list