[Oisf-users] Load-balancing Suricata
Seth Hall
seth at icir.org
Thu Apr 12 03:05:04 UTC 2012
On Apr 11, 2012, at 10:46 PM, Christopher Sheats wrote:
> Say, 2 to N of these:
> http://www.newegg.com/Product/Product.aspx?Item=N82E16813153239
> (I haven't seen any announcement of SuperMicro releasing a serverboard
> using the Intel Atom D2700 yet)
You could send the full traffic stream to each box and run these BPF filters on each Suricata instance:
Host1:
(ip[14:2]+ip[18:2]) - (2*((ip[14:2]+ip[18:2])/2)) == 0
Host2:
(ip[14:2]+ip[18:2]) - (2*((ip[14:2]+ip[18:2])/2)) == 1
This only works for packets that are straight ethernet encapsulated (no vlan or mpls tags) and it also doesn't work for IPv6. If you need to add another host (for a total of three), you can change the "2*" and "/2" to 3's and increment the value on the far right.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Oisf-users
mailing list