[Oisf-users] best method to monitor two NIC's on same box

Victor Julien victor at inliniac.net
Sat Jun 25 08:37:33 UTC 2011 

Please keep in mind that Suricata makes no effort to de-duplicate
traffic. So if both interfaces (partly) see the same traffic you may be
inspecting things twice. Also how this affects ip defrag and stream
reassembly is untested.

For more info on the feature see my blog post on it:
http://www.inliniac.net/blog/2010/12/24/listening-on-multiple-interfaces-with-suricata.html

Cheers,
Victor

On 06/25/2011 01:19 AM, Keith Miller wrote:
> Thank you.   I was hoping that it was something that simple.   I think that
> did the trick.
> 
> On Fri, Jun 24, 2011 at 16:13, Will Metcalf <william.metcalf at gmail.com>wrote:
> 
>> if you are just using pcap mode just specify -i twice
>>
>> suricata -i eth0 -i eth1 -l ./ -c suricata.yaml
>>
>> [6041] 24/6/2011 -- 18:09:17 - (source-pcap.c:389) <Info>
>> (ReceivePcapThreadInit) -- using interface eth1
>> [6040] 24/6/2011 -- 18:09:17 - (source-pcap.c:389) <Info>
>> (ReceivePcapThreadInit) -- using interface eth0
>>
>> On Fri, Jun 24, 2011 at 5:53 PM, Keith Miller <orekdm at gmail.com> wrote:
>>
>>> Greetings programs!
>>>
>>> I'm new to suricata, but a longtime veteran of NSM.   Due to some recent
>>> excitement at work I got suricata working as a standalone and then as part
>>> of the smoothsec distro.    I'm happily processing away on 8 cores at
>>> low-medium utilization.   I just discovered that we have to pull another
>>> SPAN (traffic can't be added to the first) for monitoring.   What is the
>>> best methodology to support this in suricata.   I poked around, but no docs
>>> or postings seem to discuss this issue.  Can I add a second NIC to the
>>> single instance?  Do I need to have two installations side by side?   Or
>>> just a second suricata.yaml and set of startup scripts?
>>>
>>> Forgive me if I've missed something obvious, please help!
>>>
>>> Keith Miller
>>>
>>> _______________________________________________
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>>
>>
> 
> 
> 
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list