[Oisf-users] Alternatives to ET Pro?

Cooper F. Nelson cnelson at ucsd.edu
Tue Feb 9 17:34:57 UTC 2016

Hash: SHA1

We are in the same boat and addressed our performance issues with some
simple tuning.

First off, consider filtering out top-talkers via bpf filters,
particularly your ISP's CDN vlan (akamai and netflix).  As well as local
google/youtube caches if you have them.  Filtering out HD video will
double your performance, easily.

You can find top-talkers on the command line with this script, just
replace the '-i eth2' with your NIC.

> #!/bin/bash
> sudo tcpdump -tnn -c 100000 -i eth2 | awk -F "." '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -nr | awk ' $1 > 100 '

Also, as mentioned, consider migrating to either the 3.0 or the high
performance branch:

> https://github.com/inliniac/suricata/tree/dev-detect-grouping-v174

The performance is way better.  Building from source and setting your
CFLAGS to '-O3' will also reduce packet drops by a few %.

Will, you guys are doing a great job and suricata+ETPRO is easily the
best value security product on the market!

- -Coop

On 2/9/2016 8:56 AM, Brandon Lattin wrote:
> We've been happy with ET for year, but we have noticed an increase in
> the number of rules we've had to disable due to unreasonably high
> percentages of CPU time. We do profile on a large sample set (~7Gbps for
> 10 minutes) daily. I have no doubt that you guys do your best testing,
> but we have a large network with a lot of students and researchers doing
> some very weird things. We get that it's as much an art as it is a science.

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)


More information about the Oisf-users mailing list