[Oisf-users] Missing Alerts? May be the network

Greg Grasmehr greg.grasmehr at caltech.edu
Sun Mar 17 15:13:59 UTC 2019

Hello All,

Some of you may remember in early-mid 2018 I was essentially pulling my
hair out trying to figure out why Suricata was apparently missing alert
traffic on our 10G wire.  Network claimed everything was hunky dory on
their end, and I spent countless hours testing different configs and
rule sets trying to determine what was going on.

Fortunately I attended Zeekcon last October and one of the presentations
got me looking at our Zeek data and then to thinking.

Long story short - one of the SPANS feeding our Arista switch turned out
to be saturated and dropping packets on the edge switch feeding the
Arista.  Once that was rectified Suricata was finally receiving all
network data and with Hyperscan enabled easily handling the traffic,
even during micro bursts exceeding 10G, and this is with more than 57000
rules enabled.  As far as I can tell it doesn't miss a thing now. w00t!


Greg Grasmehr
Lead Information Security Analyst
California Institute of Technology (Caltech)
GPGMe: 38E2 F9BD A95E 9824 20AB  331A 9E29 D1A1 AAEE 5F42

More information about the Oisf-users mailing list