[Oisf-users] Can I block DDos attack via Suricata-IDS?
Peter Manev
petermanev at gmail.com
Fri Feb 3 15:03:09 UTC 2017
On Wed, Feb 1, 2017 at 11:28 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> I was using the automatic feature in the .yaml. I just explicitly
> defined it in the rules as well.
Do you see any diff/improvement that way?
>
> Btw, I posted about this earlier, but I'm basically doing a 'prefilter'
> for doing file extraction by magic number by building a custom magic.mgc
> file. If you only build in the magic numbers you are interested in
> matching on it vastly improves performance (when using the filemagic
> keyword).
Yes that is a cool trick. Did you see perf hit across the whole system
or just a subset of CPU(s)?
>
> -Coop
>
> On 2/1/2017 1:04 PM, Peter Manev wrote:
>> Coop you may want to try the prefilterer keyword - it should offer
>> performance benefit in your case i think.
>> Cpl of examples:
>> http://suricata.readthedocs.io/en/latest/rules/prefilter.html
>> https://github.com/inliniac/suricata/commit/56239690d041a55ae9c74f6d925d1ae25d48b526
>> (feedback is welcome)
>
>
> --
> Cooper Nelson
> Network Security Analyst
> UCSD ITS Security Team
> cnelson at ucsd.edu x41042
>
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list