[Oisf-users] Alternatives to ET Pro?

Tue Feb 9 22:11:17 UTC 2016

I have to agree. We have around 60Gbit of a very difficult traffic, that's been bringing every IDS but Suricata and Bro to its knees. My to mention the accuracy.

With enough tuning I've brought that down to around 20Gbit. Devices like Arista, Netoptics and others are very useful for that, especially if you really have a 100Gbit network (and not just interfaces).

As for the quality, i haven't seen anything similar to ET, with several places you can discuss the rules, even in public, instead of the usual "just trust us, here's a binary update for the rule set, can't help, your support contract sucks"

We run the "optimized" branch of Suricata 3.

Sent from my couch

> On 09 Feb 2016, at 18:34, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> We are in the same boat and addressed our performance issues with some
> simple tuning.
> 
> First off, consider filtering out top-talkers via bpf filters,
> particularly your ISP's CDN vlan (akamai and netflix).  As well as local
> google/youtube caches if you have them.  Filtering out HD video will
> double your performance, easily.
> 
> You can find top-talkers on the command line with this script, just
> replace the '-i eth2' with your NIC.
> 
>> #!/bin/bash
>> 
>> sudo tcpdump -tnn -c 100000 -i eth2 | awk -F "." '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -nr | awk ' $1 > 100 '
> 
> 
> Also, as mentioned, consider migrating to either the 3.0 or the high
> performance branch:
> 
>> https://github.com/inliniac/suricata/tree/dev-detect-grouping-v174
> 
> The performance is way better.  Building from source and setting your
> CFLAGS to '-O3' will also reduce packet drops by a few %.
> 
> Will, you guys are doing a great job and suricata+ETPRO is easily the
> best value security product on the market!
> 
> - -Coop
> 
>> On 2/9/2016 8:56 AM, Brandon Lattin wrote:
>> We've been happy with ET for year, but we have noticed an increase in
>> the number of rules we've had to disable due to unreasonably high
>> percentages of CPU time. We do profile on a large sample set (~7Gbps for
>> 10 minutes) daily. I have no doubt that you guys do your best testing,
>> but we have a large network with a lot of students and researchers doing
>> some very weird things. We get that it's as much an art as it is a science.
> 
> 
> - -- 
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> 
> iQEcBAEBAgAGBQJWuiNBAAoJEKIFRYQsa8FWm1sH/2BnTyJmjYPzXe7luFozW3R5
> poRmCOhkX/E806j/ToQBBACAzH6rG0xacndXdvQpyhsMObs7mN36zFR5wAJfQfPn
> +JmfLL2OXQWRk3jr6gfHkkB/NhNPgAzhewRxpIA1DV/I0YuHYxRcTHWwK+0u99iR
> h6x41kSsllQk/UsvVacoR/h0Y8Di24CNtbwOqy0Bl35tFgPqvk2af1toAEVhHk6l
> Gjvqcsr5Xm2mSpsoxLvtBfLwPqpNU/ZXu95oqbVu/Bb8yzqLeQt3jgQyGhFp2tfn
> xbfHGj4gu0+N6QUxSXIQVLZFDPfLTZkoswSjc/ate1TC4rvB7y2CwaNY4gpooDA=
> =A4vF
> -----END PGP SIGNATURE-----
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net