[Oisf-users] Suricata Clustering
Yasha Zislin
coolyasha at hotmail.com
Mon Jul 7 19:36:51 UTC 2014
Has anybody worked with Clustering multiple Suricata nodes to provide High Availability and Fault Tolerance?
I have two Suricata nodes and was thinking about implementing Active/Standby cluster. After some research I came up with the following idea.
Have standby Suricata disable promiscuous mode on monitoring NICs (SPAN Ports). This way Suricata is running and I can (using a script) enable promiscuous mode and have my monitoring.
Here are the issues:
- Suricata doesnt work well when SPAN port nics have promiscious mode disabled. For example, when trying to stop it (or restart it) it hangs but eventually crashes with error ( <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect thread - "RxPFReth02". Killing engine)
- Suricata live rule reload doesnt work. It just hangs there forever.
Is there a way to tell Suricata (without restarting its service) not to store alerts on disk (ie unified2.alert)? Maybe that way it would be considered standby and no alerts will be generated even though it sees all of the traffic.
Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140707/e9ebbdc2/attachment.html>
More information about the Oisf-users
mailing list