[Oisf-users] Suricata with PF_RING on latest git

Doug Burks doug.burks at gmail.com
Fri Jul 6 11:18:23 UTC 2012


I'm currently working on rebuilding my Security Onion distro on Ubuntu
12.04 64-bit and am looking at pfring vs afpacket, so this is a very
interesting discussion.  I like the simplicity of Suricata's afpacket
fanout support, but since we also run Bro, we'd have to do pfring
anyway.  And since we have non-pfring applications (like daemonlogger)
and have to support as many NICs as possible, we'd be using pfring
transparent_mode 0.  So given all that, should we go with pfring for
Suricata, or is there some advantage to using afpacket in this
scenario?

Thanks,
Doug

On Fri, Jul 6, 2012 at 4:21 AM, Victor Julien <victor at inliniac.net> wrote:
> On 07/06/2012 10:17 AM, Anoop Saldanha wrote:
>>>> And I can verify, if you run pfring, it wont die if you dont send
>>>> >> packets.
>>> >
>>> > Yeah, no packets, no shutdown. Blame pfring :)
>>> >
>> Maybe wait for 'x' seconds an if it hasn't shutdown as yet, inject a
>> packet to trigger shutdown.
>>
>
> That would be injecting on the wire, and then even account for the
> number of reader threads and the various cluster options. Way too
> complicated IMO.
>
> I think Luca was working on a timeout feature at some point, not sure
> what the status is.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users



-- 
Doug Burks
http://securityonion.blogspot.com



More information about the Oisf-users mailing list