Martin, NetFlow on OVS can potentially generate more flow records than usual router/switch-based exporters because of a relatively short “inactive” timeout (1.5s in my understanding). Depending on the collector of your choice, it may be worth considering to use sFlow instead because it can give information beyond L4 header so more context it can give to the IDS.
Regards, — Motonori Shindo 2014/11/06 19:04、Martin Vizvary <[email protected]> のメール: > > > On 11/05/2014 05:16 PM, Ben Pfaff wrote: >> On Wed, Nov 05, 2014 at 04:59:30PM +0100, Martin Vizvary wrote: >>> does anybody know if and how is implemented passive timeout for flow >>> expiration? >>> >>> I was playing around with it, but you can configure only active timeout. >>> (passive timeout is approximately 1s - I guess it is connected with >>> next_timeout cycle only... >> >> The passive timeout triggers at the same time that OVS removes a flow >> from the datapath. That is managed internally to OVS mainly to ensure a >> good balance between performance, CPU usage, and memory usage. It's >> probably not a good idea to try to adjust it just to change the NetFlow >> passive timeout. >> > > Thank you for fast response. Well, I know it will have impact on OVS > performance, however it is not a good idea to use network flows with 1s > timeout (current netflow probes use 30s/60s). Every request that takes > longer than 2s will be divided into two flow records. Every service with > keep-alive longer than 1-2s timeout will be divided into several flow > records, etc. > > It will ends with huge amount of network flows in real networks. Also > divided flows will be useless for current Intrusion Detection Systems... > > Did you measure the impact of longer timeouts on OVS performance? > > Martin > > -- > Mgr. Martin Vizvary [email protected] > Security Department, CSIRT-MU group http://csirt.muni.cz > Institute of Computer Science, Masaryk University, Brno, Czech Republic > PGP Key ID: 0xF2D9925F > > _______________________________________________ > discuss mailing list > [email protected] > http://openvswitch.org/mailman/listinfo/discuss
_______________________________________________ discuss mailing list [email protected] http://openvswitch.org/mailman/listinfo/discuss
