<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="FR" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thank you it worked.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I had to combine both solutions to make it working, so my sysconfig file(this file is called into the systemd unit file) is:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">OPTIONS=”-i <IFACE1> … -i <IFACEN> --user suricata”<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">And my suricata.yaml is like you wrote it.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">Regards.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">--<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">Gaëtan Piquenot<o:p></o:p></span></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:35.4pt"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Davide Setti [mailto:d.setti@certego.net]
<br>
<b>Sent:</b> Tuesday, August 21, 2018 3:56 PM<br>
<b>To:</b> Piquenot, Gaetan<br>
<b>Cc:</b> oisf-users@lists.openinfosecfoundation.org<br>
<b>Subject:</b> Re: [Oisf-users] Issue using several interfaces with suricata 4.0.4<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-left:35.4pt">Hi Gaetan,<o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-left:35.4pt"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt">are you passing interfaces via command line or via config file?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt">Cause if you use a config file it should be pretty easier to setup multiple interfaces. I suppose you are using AF_PACKET, you just have to keep in mind to use different "cluster-id" for each interfaces:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt"><o:p> </o:p></p>
</div>
<div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt">af-packet:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt"> - interface: eth0<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt"> cluster-id: 100<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt;background:white"> - interface: eth1<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt;background:white"> cluster-id: 101<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt;background:white"> - interface: ethN<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt;background:white"> cluster-id: 102<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt;background:white"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt;background:white">Then you should run:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt;background:white">suricata --af-packet -c <path-to-config><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt;background:white"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt">Regards,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt">Davide<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-left:35.4pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-left:35.4pt">2018-08-21 15:30 GMT+02:00 Piquenot, Gaetan <<a href="mailto:gaetan.piquenot@airbus.com" target="_blank">gaetan.piquenot@airbus.com</a>>:<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt">
Hello,<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt">
<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt">
<span lang="EN-US">I’m trying to make suricata sniffing onto 4 ifaces, but when I put several –i <IFACE NAME> into /etc/sysconfig/suricata (CentOS), I can’t run suricata and get following errors:</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt">
<span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt">
<span lang="EN-US">21/8/2018 -- 14:09:03 - <Warning> - [ERRCODE: SC_WARN_PCAP_MULTI_DEV_EXPERIMENTAL(177)] - using multiple devices to get packets is experimental.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt">
<span lang="EN-US">{"timestamp":"2018-08-21T14:09:03.228795+0200","event_type":"engine","engine":{"message":"This is Suricata version 4.0.4 RELEASE"}}</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt">
<span lang="EN-US">{"timestamp":"2018-08-21T14:09:03.393105+0200","event_type":"engine","engine":{"message":"all 12 packet processing threads, 4 management threads initialized, engine started."}}</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt">
<span lang="EN-US">{"timestamp":"2018-08-21T14:09:03.449420+0200","event_type":"engine","engine":{"error_code":190,"error":"SC_ERR_AFP_CREATE","message":"Couldn't set fanout mode, error Invalid argument"}}</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt">
<span lang="EN-US">{"timestamp":"2018-08-21T14:09:03.455418+0200","event_type":"engine","engine":{"error_code":190,"error":"SC_ERR_AFP_CREATE","message":"Couldn't init AF_PACKET socket, fatal error"}}</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt">
<span lang="EN-US">{"timestamp":"2018-08-21T14:09:03.463594+0200","event_type":"engine","engine":{"error_code":171,"error":"SC_ERR_FATAL","message":"thread RX#01-ens225 failed"}}</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt">
<span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt">
<span lang="EN-US">I saw this old link <a href="https://lists.openinfosecfoundation.org/pipermail/oisf-users/2015-November/005412.html" target="_blank">
https://lists.openinfosecfoundation.org/pipermail/oisf-users/2015-November/005412.html</a> but my ifaces are configured and if I use them one by one it’s working.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt">
<span lang="EN-US" style="font-size:10.0pt;font-family:"Arial","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt">
<span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Cordialement.</span><o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-left:35.4pt"><br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-left:35.4pt"><o:p> </o:p></p>
</div>
<p class="MsoNormal" style="margin-left:35.4pt">-- <o:p></o:p></p>
<div>
<div>
<div>
<div>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="420" style="width:315.0pt;margin-left:35.4pt">
<tbody>
<tr>
<td valign="top" style="padding:0cm 0cm 0cm 0cm;text-align:initial">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td valign="top" style="padding:0cm 6.0pt 0cm 6.0pt">
<p class="MsoNormal"><a href="http://www.certego.net/" target="_blank"><span style="text-decoration:none"><img border="0" width="96" height="96" id="_x0000_i1025" src="http://www.certego.net/email/certego.png"></span></a><o:p></o:p></p>
</td>
<td valign="top" style="padding:3.0pt 0cm 3.0pt 0cm;text-align:initial">
<div>
<p class="MsoNormal"><b><span style="font-size:13.5pt;font-family:"Arial","sans-serif";color:#00ACED;letter-spacing:.75pt">Davide Setti<o:p></o:p></span></b></p>
</div>
<div>
<p class="MsoNormal"><b><span style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#202020">R&D and Incident Response Team, Certego<o:p></o:p></span></b></p>
</div>
<div>
<p class="MsoNormal"><a href="http://www.linkedin.com/company/certego" target="_blank"><span style="text-decoration:none"><img border="0" width="24" height="24" id="_x0000_i1026" src="http://www.certego.net/email/linkedin.png"></span></a> <a href="http://twitter.com/Certego_IRT" target="_blank"><span style="text-decoration:none"><img border="0" width="24" height="24" id="_x0000_i1027" src="http://www.certego.net/email/twitter.png"></span></a> <a href="http://github.com/certego" target="_blank"><span style="text-decoration:none"><img border="0" width="24" height="24" id="_x0000_i1028" src="http://www.certego.net/email/github.png"></span></a> <a href="http://www.youtube.com/CERTEGOsrl" target="_blank"><span style="text-decoration:none"><img border="0" width="24" height="24" id="_x0000_i1029" src="http://www.certego.net/email/youtube.png"></span></a> <a href="http://plus.google.com/117641917176532015312" target="_blank"><span style="text-decoration:none"><img border="0" width="24" height="24" id="_x0000_i1030" src="http://www.certego.net/email/googleplus.png"></span></a><o:p></o:p></p>
</div>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal" style="margin-left:35.4pt;text-align:justify;vertical-align:top">
<span style="font-size:6.0pt;font-family:"Arial","sans-serif";color:#E0E0E0">Use of the information within this document constitutes acceptance for use in an "as is" condition. There are no warranties with regard to this information; Certego has verified the
data as thoroughly as possible. Any use of this information lies within the user's responsibility. In no event shall Certego be liable for any consequences or damages, including direct, indirect, incidental, consequential, loss of business profits or special
damages, arising out of or in connection with the use or spread of this information.<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<font style="font-size: 9px;">The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised.<br>If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.<br>Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately.<br>All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.</font></body>
</html>