[Oisf-users] PFRing & Barnyard2

Kevin Ross kevross33 at googlemail.com
Fri Aug 9 14:10:39 UTC 2013 

Ah yes that works a treat. Just I was looking at Snort documentation
regarding it and starting up multiple processes. Thanks :)

Kevin


On 9 August 2013 15:06, Peter Manev <petermanev at gmail.com> wrote:

> On Fri, Aug 9, 2013 at 2:31 PM, Kevin Ross <kevross33 at googlemail.com>
> wrote:
> > Hi,
> >
> > I was wondering what is the prefered way of doing barnyard2 with
> suricata in
> > pfring? I ask because now I am running more processes now I have better
> > hardware so when I ran say 8 processes each one seems to create its on
> > unified2.alert file but I start only 1 barnyard process and I noticed
> things
> > in the fast.log file that was not being picked up by barnyard.
> >
> > So do I have to start up multiple barnyard processes too for each
> unified2
> > alert file and then do something like have multiple suricata.yaml files
> with
> > each one pointed to say alert2.unified2, alert2.unified3 and then have
> > barnyard and suricata started like this?
> >
> > # Start Multiple Suricata Processes With PFRING
> > for COUNTER in 0 1 2 3 4 5 6 7; do
> > suricata  --pidfile /var/run/suricata$COUNTER.pid --pfring-int=eth1
> > --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c
> > /etc/suricata/suricata.yaml --user suri --group suri -D
> > /usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d
> > /var/log/suricata -f unified2.alert$COUNTER -w
> /var/log/suricata/bylog.waldo
> > -D
> > done
>
> What is the purpose of this script above?
>
> Suricata is a multi-threading application and there is no need to
> start 8 processes of it. All you need to do is in the pfring section
> of the suricata.yaml to adjust the threads value:
>
> pfring:
>   - interface: eth1
>     # Number of receive threads (>1 will enable experimental flow pinned
>     # runmode)
>     threads: 8
>
> then you will have everything written in the "one" respective logfile
> (not multiples of them ).
>
> Then you just start  (once) Suricata :
> suricata  --pidfile /var/run/suricata$COUNTER.pid --pfring-int=eth1
> --pfring-cluster-id=99 --pfring-cluster-type=cluster_
> flow -c /etc/suricata/suricata.yaml --user suri --group suri -D
>
> run htop/top and you will see the 8 Suricata threads.
>
>
> >
> > Thanks,
> > Kevin
> >
> >
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
>
>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130809/58ae343e/attachment-0002.html>

More information about the Oisf-users mailing list