[Oisf-users] PFRing & Barnyard2

Peter Manev petermanev at gmail.com
Sun Aug 11 09:13:44 UTC 2013 

>
> On 9 August 2013 15:06, Peter Manev <petermanev at gmail.com> wrote:
>>
>> On Fri, Aug 9, 2013 at 2:31 PM, Kevin Ross <kevross33 at googlemail.com>
>> wrote:
>> > Hi,
>> >
>> > I was wondering what is the prefered way of doing barnyard2 with
>> > suricata in
>> > pfring? I ask because now I am running more processes now I have better
>> > hardware so when I ran say 8 processes each one seems to create its on
>> > unified2.alert file but I start only 1 barnyard process and I noticed
>> > things
>> > in the fast.log file that was not being picked up by barnyard.
>> >
>> > So do I have to start up multiple barnyard processes too for each
>> > unified2
>> > alert file and then do something like have multiple suricata.yaml files
>> > with
>> > each one pointed to say alert2.unified2, alert2.unified3 and then have
>> > barnyard and suricata started like this?
>> >
>> > # Start Multiple Suricata Processes With PFRING
>> > for COUNTER in 0 1 2 3 4 5 6 7; do
>> > suricata  --pidfile /var/run/suricata$COUNTER.pid --pfring-int=eth1
>> > --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c
>> > /etc/suricata/suricata.yaml --user suri --group suri -D
>> > /usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d
>> > /var/log/suricata -f unified2.alert$COUNTER -w
>> > /var/log/suricata/bylog.waldo
>> > -D
>> > done
>>
>> What is the purpose of this script above?
>>
>> Suricata is a multi-threading application and there is no need to
>> start 8 processes of it. All you need to do is in the pfring section
>> of the suricata.yaml to adjust the threads value:
>>
>> pfring:
>>   - interface: eth1
>>     # Number of receive threads (>1 will enable experimental flow pinned
>>     # runmode)
>>     threads: 8
>>
>> then you will have everything written in the "one" respective logfile
>> (not multiples of them ).
>>
>> Then you just start  (once) Suricata :
>> suricata  --pidfile /var/run/suricata$COUNTER.pid --pfring-int=eth1
>> --pfring-cluster-id=99 --pfring-cluster-type=cluster_
>> flow -c /etc/suricata/suricata.yaml --user suri --group suri -D
>>
>> run htop/top and you will see the 8 Suricata threads.
>>
On Fri, Aug 9, 2013 at 5:10 PM, Kevin Ross <kevross33 at googlemail.com> wrote:
> Ah yes that works a treat. Just I was looking at Snort documentation
> regarding it and starting up multiple processes. Thanks :)
>
> Kevin
>

I think this is a perfect example of one of the major differences
between Suricata (native multithreading) and Snort (single/multi
process).


-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list