[Oisf-users] Can I block DDos attack via Suricata-IDS?
Jason Long
hack3rcon at yahoo.com
Sun Feb 5 13:13:29 UTC 2017
Can anyone answer my question? As I sad, I use Suricata-IDS on Windows and config part not have any part like that.
On Sunday, February 5, 2017 1:44 AM, Peter Manev <petermanev at gmail.com> wrote:
> On 4 Feb 2017, at 19:12, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
>
>> On 2/3/2017 7:03 AM, Peter Manev wrote:
>>> On Wed, Feb 1, 2017 at 11:28 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
>>> I was using the automatic feature in the .yaml. I just explicitly
>>> defined it in the rules as well.
>>
>> Do you see any diff/improvement that way?
>
> I'm measuring performance as % packet drops over 24hs. Did not see any
> clear difference.
>
>>> Btw, I posted about this earlier, but I'm basically doing a 'prefilter'
>>> for doing file extraction by magic number by building a custom magic.mgc
>>> file. If you only build in the magic numbers you are interested in
>>> matching on it vastly improves performance (when using the filemagic
>>> keyword).
>>
>> Yes that is a cool trick. Did you see perf hit across the whole system
>> or just a subset of CPU(s)?
>
> Whole system. Suri is using one filemagic thread per detect thread.
> Matching magic numbers with hyperscan would be way better, but that's a
> tall order I think!
>
Would be a good FR discussion on redmine :)
> --
> Cooper Nelson
> Network Security Analyst
> UCSD ITS Security Team
> cnelson at ucsd.edu x41042
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170205/ff4a0b36/attachment-0002.html>
More information about the Oisf-users
mailing list