[Oisf-users] PFRing & Barnyard2

Peter Manev petermanev at gmail.com
Fri Aug 9 14:06:42 UTC 2013 

On Fri, Aug 9, 2013 at 2:31 PM, Kevin Ross <kevross33 at googlemail.com> wrote:
> Hi,
>
> I was wondering what is the prefered way of doing barnyard2 with suricata in
> pfring? I ask because now I am running more processes now I have better
> hardware so when I ran say 8 processes each one seems to create its on
> unified2.alert file but I start only 1 barnyard process and I noticed things
> in the fast.log file that was not being picked up by barnyard.
>
> So do I have to start up multiple barnyard processes too for each unified2
> alert file and then do something like have multiple suricata.yaml files with
> each one pointed to say alert2.unified2, alert2.unified3 and then have
> barnyard and suricata started like this?
>
> # Start Multiple Suricata Processes With PFRING
> for COUNTER in 0 1 2 3 4 5 6 7; do
> suricata  --pidfile /var/run/suricata$COUNTER.pid --pfring-int=eth1
> --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c
> /etc/suricata/suricata.yaml --user suri --group suri -D
> /usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d
> /var/log/suricata -f unified2.alert$COUNTER -w /var/log/suricata/bylog.waldo
> -D
> done

What is the purpose of this script above?

Suricata is a multi-threading application and there is no need to
start 8 processes of it. All you need to do is in the pfring section
of the suricata.yaml to adjust the threads value:

pfring:
  - interface: eth1
    # Number of receive threads (>1 will enable experimental flow pinned
    # runmode)
    threads: 8

then you will have everything written in the "one" respective logfile
(not multiples of them ).

Then you just start  (once) Suricata :
suricata  --pidfile /var/run/suricata$COUNTER.pid --pfring-int=eth1
--pfring-cluster-id=99 --pfring-cluster-type=cluster_
flow -c /etc/suricata/suricata.yaml --user suri --group suri -D

run htop/top and you will see the 8 Suricata threads.


>
> Thanks,
> Kevin
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list