[Oisf-users] Suricata Clustering
Peter Manev
petermanev at gmail.com
Mon Jul 7 19:42:53 UTC 2014
On Mon, Jul 7, 2014 at 9:36 PM, Yasha Zislin <coolyasha at hotmail.com> wrote:
> Has anybody worked with Clustering multiple Suricata nodes to provide High
> Availability and Fault Tolerance?
>
> I have two Suricata nodes and was thinking about implementing Active/Standby
> cluster. After some research I came up with the following idea.
> Have standby Suricata disable promiscuous mode on monitoring NICs (SPAN
> Ports). This way Suricata is running and I can (using a script) enable
> promiscuous mode and have my monitoring.
>
> Here are the issues:
> - Suricata doesnt work well when SPAN port nics have promiscious mode
> disabled. For example, when trying to stop it (or restart it) it hangs but
> eventually crashes with error ( <Error> - [ERRCODE: SC_ERR_FATAL(171)] -
> Engine unable to disable detect thread - "RxPFReth02". Killing engine)
> - Suricata live rule reload doesnt work. It just hangs there forever.
The above described issue could be experienced when Suricata is
stopped and there is no traffic on the mirror port.
Is that the case?
>
> Is there a way to tell Suricata (without restarting its service) not to
> store alerts on disk (ie unified2.alert)? Maybe that way it would be
> considered standby and no alerts will be generated even though it sees all
> of the traffic.
I think if you are looking for "clustering solution" you should do
that on the OS level... much easier and more flexible.
>
> Thanks.
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list