[Oisf-users] Can I block DDos attack via Suricata-IDS?
Cooper F. Nelson
cnelson at ucsd.edu
Sat Feb 4 18:12:11 UTC 2017
On 2/3/2017 7:03 AM, Peter Manev wrote:
> On Wed, Feb 1, 2017 at 11:28 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
>> I was using the automatic feature in the .yaml. I just explicitly
>> defined it in the rules as well.
>
> Do you see any diff/improvement that way?
I'm measuring performance as % packet drops over 24hs. Did not see any
clear difference.
>> Btw, I posted about this earlier, but I'm basically doing a 'prefilter'
>> for doing file extraction by magic number by building a custom magic.mgc
>> file. If you only build in the magic numbers you are interested in
>> matching on it vastly improves performance (when using the filemagic
>> keyword).
>
> Yes that is a cool trick. Did you see perf hit across the whole system
> or just a subset of CPU(s)?
Whole system. Suri is using one filemagic thread per detect thread.
Matching magic numbers with hyperscan would be way better, but that's a
tall order I think!
--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170204/9540ee80/attachment-0002.sig>
More information about the Oisf-users
mailing list