[prev in list] [next in list] [prev in thread] [next in thread]
List: oisf-users
Subject: Re: [Oisf-users] Launch suricata with PFRING support
From: Peter Manev <petermanev () gmail ! com>
Date: 2014-09-29 18:54:39
Message-ID: CAMhe82Lr11tdHGq9E+i9Vo7dwhS78YMy4uby7qNdP0WuBnJK3A () mail ! gmail ! com
[Download RAW message or body]
On Mon, Sep 29, 2014 at 2:15 PM, Alvaro Alonso Jiménez
<alvaroalo@gmail.com> wrote:
>
> Hi there,
>
> I have compiled suricata with PFRING, and I want to launch it properly.
>
>
> I have found the following documentation regarding the way Suricata needs to
> be launched:
>
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_with_PF_RING
>
> More precisely:
>
> Start up Suricata with PF_RING support:
>
> sudo /opt/PF_RING/bin/suricata --pfring-int=eth0 --pfring-cluster-id=99
> --pfring-cluster-type=cluster_flow -c /etc/suricata/suricata.yaml
>
>
> In this sense, it seems there is no reference to -i option (using to specify
> the interfaces which we have to use to sniff traffic). Let's assume I want
> to use several interfaces to sniff traffic with PFRING configuration. I have
> also found this other entry, which states that we should specify a '-i'
> option for each interface we want to use to sniff traffic
>
> http://blog.inliniac.net/2010/12/24/listening-on-multiple-interfaces-with-suricata/
>
>
> So, let's assume I want to use eth0 and eth1 to sniff traffic. How should I
> launch suricata?
Could you try it like so(and let us know):
/usr/bin/suricata --pfring -c
/etc/suricata/peter-yaml/suricata-pfring.yaml -D -v
and in the suricata.yaml (pfring section) you should have the
different interfaces defined with a different cluster id.
Which pf_ring ver do you use?
Which Suricata ver do you use?
>
> OPTION 1
>
> /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 -i eth1
> --pfring=eth0 --pfring=eth1
>
> (suricata-start log traces shows that using multiple interfaces to sniff
> traffic is a experimental feature, and suricata log traces show duplicated
> information for eth0 and eth1)
>
>
> OPTION 2
>
> /usr/bin/suricata -c /etc/suricata/suricata.yaml --pfring=eth0 --pfring=eth1
>
>
> ANOTHER OPTION???
>
>
> Thank you very much in advance.
>
> With kind regards,
>
> Alvaro
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
--
Regards,
Peter Manev
_______________________________________________
Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Training now available: http://suricata-ids.org/training/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic