Wednesday, June 4, 2014

24 hr full log run with Suricata IDPS on a 10Gbps ISP line



This is going to be quick :)

  • 9K rules (standard ET-Pro, not changed or edited)
  • Suricata 2.0.1 with AF_PACKET, 16 threads
  • number of hosts in HOME_NET - /21 /19 /19 /18 = about 34K hosts 
  • 24 hour run eve.json with all outputs enabled.



I used that command (it took a while on a 54 GB log file :) )  - as suggested by @Packet Inspector (Twitter):
cat eve.json-20140604 | perl -ne 'print "$1\n" if /\"event_type\":\"(.*?)\"/' | sort | uniq -c

root@suricata:/var/log/suricata/tmp# cat eve.json-20140604 | perl -ne 'print "$1\n" if /\"event_type\":\"(.*?)\"/' | sort | uniq -c
 384426 alert
219594091 dns
1384214 fileinfo
3460078 http
  10304 ssh
 280184 tls
root@suricata:/var/log/suricata/tmp# ls -lh
total 54G
-rw-r----- 1 root root 54G Jun  4 16:49 eve.json-20140604
root@suricata:/var/log/suricata/tmp#

 So basically we got (descending order) :
  • 219 594 091 - DNS
  •     3 460 078 - HTTP
  •     1 384 214 - FILEINFO
  •        384 426 - ALERTS
  •        280 184 -TLS
  •          10 304 - SSH
about 2600 logs per second on that particular day for that particular test run - yesterday.
Tomorrow .... who knows :)

With these 8 rule files enabled:
rule-files:
 - trojan.rules
 - dns.rules
 - malware.rules
 - md5.rules
 - local.rules
 - current_events.rules
 - mobile_malware.rules
 - user_agents.rules




4 comments:

  1. What kind of hardware did you use to sustain such rates?

    ReplyDelete
    Replies
    1. http://pevma.blogspot.se/2013/12/suricata-and-grand-slam-of-open-source.html

      Delete
  2. How many packet did you drop in this setup?.

    ReplyDelete
  3. On that particular set up - 0.5-1% drops for 24hrs

    ReplyDelete