<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
If you actually ran that second suricata line with
"--af-packet-eth1" then that might be your problem as the third dash
in that string would need to be an "=" to work. As to whether you
can point a single instance of suricata at multiple interfaces in
this way, I'll leave that for wiser folks than I to weight in on.
If you can't, you could always aggregate eth1 and eth2 together onto
a virtual bonding interface like bond0. I do that at a number of my
client sites. There are probably performance ramifications of doing
so, though, if you are working with heavily loaded network sniffing
interfaces.<br>
<br>
Kevin<br>
<br>
<br>
On 10/31/2013 4:29 PM, Theodore Elhourani wrote:
<blockquote
cite="mid:WM!b1018457834848b5ed05acffcf1cc2a51efc020b6c3ce3799473d279a29f4fcc3aaed7974733ada518bbf44db46ff806!@asav-2.01.com"
type="cite">
<pre wrap="">
Yes the interfaces are configured in suricata.yaml (see attached)
and here is how it is started again:
suricata --af-packet=eth1 --af-packet=eth2 -c /etc/suricata/suricata.yaml -D
Suricata reads off eth1 only.
When I do
suricata --af-packet=eth2 --af-packet-eth1 -c /etc/suricata/suricata.yaml -D
it reads off eth2 only.
On Oct 2, 2013, at 11:26 PM, Peter Manev <a class="moz-txt-link-rfc2396E" href="mailto:petermanev@gmail.com"><petermanev@gmail.com></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">On 3 okt 2013, at 01:54, Theodore Elhourani <a class="moz-txt-link-rfc2396E" href="mailto:theodore.elhourani@gmail.com"><theodore.elhourani@gmail.com></a> wrote:
Would this be the correct syntax for starting suricata with multiple interfaces using afpacket?
suricata --af-packet=eth1 --af-packet=eth2 …..
I have tried this and it is reading only from eth1.
</pre>
</blockquote>
<pre wrap="">
Do you have those interfaces configured in suricata.yaml ?
</pre>
<blockquote type="cite">
<pre wrap="">
Thanks!
_______________________________________________
Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>
Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>
List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
OISF: <a class="moz-txt-link-freetext" href="http://www.openinfosecfoundation.org/">http://www.openinfosecfoundation.org/</a>
</pre>
</blockquote>
</blockquote>
<pre wrap="">
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>
Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>
List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
OISF: <a class="moz-txt-link-freetext" href="http://www.openinfosecfoundation.org/">http://www.openinfosecfoundation.org/</a></pre>
</blockquote>
<br>
</body>
</html>