[Oisf-users] Question about using suricata 1.1rc1 with nfq
Eric Leblond
eric at regit.org
Wed Nov 9 10:23:57 UTC 2011
Hello,
On Wed, 2011-11-09 at 11:18 +0100, carlopmart wrote:
> Hi all,
>
> Recently, I have installed a suricata sensor to do some tests for
> monitoring only web traffic. This suricata is installed using NFQ module
> (with several bridges and NFQUEUEs defined) on Ubuntu 10.04.3 host. But
> I don't understand some options in the new suricata configuration.
>
> My idea is to integrate suricata with sguil. To do this, I have
> enabled the following options on suricata.yaml:
>
> - pcap-log:
> enabled: yes
> filename: suricata.log
> limit: 1000
> max_files: 100
> mode: sguil
> dir: /nsm/sguil_sensor/suricata/dailylogs
> use_stream_depth: no
>
> But I see new option in configuration file:
>
> pcap:
> - interface: eth1
>
> What does it means this option??
This option/configuration part is for the pcap acquisition module. You
can now specify multiple interfaces with different configuration for
pcap, pfring and af_packet acquisition module. Have a look at the
following blog post for more information:
http://home.regit.org/2011/10/suricata-new-feature/
> Is not possible to record all traffic
> that suricata sees over multiple NFQUEUEs??
Yes, you can do this by using multiple -q switches on the command line:
suricata -c suricata.yaml -q 0 -q 1
> Is it possible to define
> multiple interfaces in this option??
Yes for pcap.
BR,
--
Eric Leblond
Blog: http://home.regit.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20111109/0aa142c9/attachment.sig>
More information about the Oisf-users
mailing list