[Oisf-users] Question about using suricata 1.1rc1 with nfq

Eric Leblond eric at regit.org
Wed Nov 9 10:23:57 UTC 2011


On Wed, 2011-11-09 at 11:18 +0100, carlopmart wrote:
> Hi all,
>   Recently, I have installed a suricata sensor to do some tests for 
> monitoring only web traffic. This suricata is installed using NFQ module 
> (with several bridges and NFQUEUEs defined) on Ubuntu 10.04.3 host. But 
> I don't understand some options in the new suricata configuration.
>   My idea is to integrate suricata with sguil. To do this, I have 
> enabled the following options on suricata.yaml:
>    - pcap-log:
>       enabled: yes
>       filename: suricata.log
>       limit: 1000
>       max_files: 100
>       mode: sguil
>       dir: /nsm/sguil_sensor/suricata/dailylogs
>       use_stream_depth: no
>   But I see new option in configuration file:
>   pcap:
>    - interface: eth1
>   What does it means this option?? 

This option/configuration part is for the pcap acquisition module. You
can now specify multiple interfaces with different configuration for
pcap, pfring and af_packet acquisition module. Have a look at the
following blog post for more information:

> Is not possible to record all traffic 
> that suricata sees over multiple NFQUEUEs?? 

Yes, you can do this by using multiple -q switches on the command line:
	suricata -c suricata.yaml -q 0 -q 1

> Is it possible to define 
> multiple interfaces in this option??

Yes for pcap.

Eric Leblond 
Blog: http://home.regit.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20111109/0aa142c9/attachment.sig>

More information about the Oisf-users mailing list