[prev in list] [next in list] [prev in thread] [next in thread]
List: security-onion
Subject: Re: [security-onion] Question Regarding Large Downloads and Dropped Packets
From: Wes Lambert <wlambertts () gmail ! com>
Date: 2019-05-29 12:31:32
Message-ID: CAHjBB6FjUyGf5Qqt-+gLPnZEL-CqXnDGkBHq+Q3k-P1eaNXRXA () mail ! gmail ! com
[Download RAW message or body]
Hi Chad,
You may be able to write a Bro script for the detection component and drop
the event accordingly, otherwise, you could just try using something like
BPF to filter it out (if you know the specifics), or ensure that you are
not trying to aggregate more traffic to the single SPAN port than the port
is rated to handle.
Thanks,
Wes
On Tue, May 28, 2019 at 12:56 AM Chad Mika <chadmika4@gmail.com> wrote:
> I have a gigabit Internet connection and various times throughout the day,
> a large file can be downloading that saturates the link (100+ MB/s down)
> and results in an enormous amount of log data to be generated that is
> likely resulting in dropped packets and losing potentially useful data. I'm
> assuming this due to my setup of using a SPAN port on my switch to capture
> data, and not a full duplex (non-aggregate) network tap.
>
> My question is two fold:
>
> 1.) Is it possible to detect then ignore large file transfers so that it
> doesn't generate an obscene amount of data and large log files?
>
> 2.) Whenever a file is downloading that is saturating the link, is it
> always going to be a possibility for dropped packets unless my output link
> is a higher bandwidth such as using USB3 instead of gigabit Ethernet?
>
> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onion+unsubscribe@googlegroups.com.
> To post to this group, send email to security-onion@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/security-onion/2d1feea7-23f7-4b4a-9048-1bf92a7bcf95%40googlegroups.com
>
> .
> For more options, visit https://groups.google.com/d/optout.
>
--
https://twitter.com/therealwlambert
https://securityonion.net/
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
https://groups.google.com/group/security-onion. To view this discussion on the web \
visit https://groups.google.com/d/msgid/security-onion/CAHjBB6FjUyGf5Qqt-%2BgLPnZEL-CqXnDGkBHq%2BQ3k-P1eaNXRXA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
[Attachment #3 (text/html)]
<div dir="ltr"><div>Hi Chad,</div><div><br></div>You may be able to write a Bro \
script for the detection component and drop the event accordingly, otherwise, you \
could just try using something like BPF to filter it out (if you know the specifics), \
or ensure that you are not trying to aggregate more traffic to the single SPAN port \
than the port is rated to handle.<div><br></div><div>Thanks,</div><div>Wes \
</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, \
May 28, 2019 at 12:56 AM Chad Mika <<a \
href="mailto:chadmika4@gmail.com">chadmika4@gmail.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I have a gigabit \
Internet connection and various times throughout the day, a large file can be \
downloading that saturates the link (100+ MB/s down) and results in an enormous \
amount of log data to be generated that is likely resulting in dropped packets and \
losing potentially useful data. I'm assuming this due to my setup of using a SPAN \
port on my switch to capture data, and not a full duplex (non-aggregate) network \
tap.<br> <br>
My question is two fold:<br>
<br>
1.) Is it possible to detect then ignore large file transfers so that it doesn't \
generate an obscene amount of data and large log files?<br> <br>
2.) Whenever a file is downloading that is saturating the link, is it always going to \
be a possibility for dropped packets unless my output link is a higher bandwidth such \
as using USB3 instead of gigabit Ethernet?<br> <br>
-- <br>
Follow Security Onion on Twitter!<br>
<a href="https://twitter.com/securityonion" rel="noreferrer" \
target="_blank">https://twitter.com/securityonion</a><br>
--- <br>
You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
href="mailto:security-onion%2Bunsubscribe@googlegroups.com" \
target="_blank">security-onion+unsubscribe@googlegroups.com</a>.<br> To post to this \
group, send email to <a href="mailto:security-onion@googlegroups.com" \
target="_blank">security-onion@googlegroups.com</a>.<br> Visit this group at <a \
href="https://groups.google.com/group/security-onion" rel="noreferrer" \
target="_blank">https://groups.google.com/group/security-onion</a>.<br> To view this \
discussion on the web visit <a \
href="https://groups.google.com/d/msgid/security-onion/2d1feea7-23f7-4b4a-9048-1bf92a7bcf95%40googlegroups.com" \
rel="noreferrer" target="_blank">https://groups.google.com/d/msgid/security-onion/2d1feea7-23f7-4b4a-9048-1bf92a7bcf95%40googlegroups.com</a>.<br>
For more options, visit <a href="https://groups.google.com/d/optout" \
rel="noreferrer" target="_blank">https://groups.google.com/d/optout</a>.<br> \
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" \
class="gmail_signature"><div dir="ltr"><span style="font-size:12.8px"><a \
href="https://twitter.com/therealwlambert" \
target="_blank">https://twitter.com/therealwlambert</a></span><br><div><span \
style="font-size:12.8px"><a href="https://securityonion.net/" \
target="_blank">https://securityonion.net/</a></span><br></div></div></div>
<p></p>
-- <br />
Follow Security Onion on Twitter!<br />
<a href="https://twitter.com/securityonion">https://twitter.com/securityonion</a><br \
/>
--- <br />
You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br /> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
href="mailto:security-onion+unsubscribe@googlegroups.com">security-onion+unsubscribe@googlegroups.com</a>.<br \
/> To post to this group, send email to <a \
href="mailto:security-onion@googlegroups.com">security-onion@googlegroups.com</a>.<br \
/> Visit this group at <a \
href="https://groups.google.com/group/security-onion">https://groups.google.com/group/security-onion</a>.<br \
/> To view this discussion on the web visit <a \
href="https://groups.google.com/d/msgid/security-onion/CAHjBB6FjUyGf5Qqt-%2BgLPnZEL-Cq \
XnDGkBHq%2BQ3k-P1eaNXRXA%40mail.gmail.com?utm_medium=email&utm_source=footer">https:// \
groups.google.com/d/msgid/security-onion/CAHjBB6FjUyGf5Qqt-%2BgLPnZEL-CqXnDGkBHq%2BQ3k-P1eaNXRXA%40mail.gmail.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic