[Oisf-users] Suricata Clustering
Cooper F. Nelson
cnelson at ucsd.edu
Mon Jul 7 19:52:08 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I would just buy an Arista switch and mirror the traffic to multiple
servers.
On 7/7/2014 12:36 PM, Yasha Zislin wrote:
> Has anybody worked with Clustering multiple Suricata nodes to provide
> High Availability and Fault Tolerance?
>
> I have two Suricata nodes and was thinking about implementing
> Active/Standby cluster. After some research I came up with the following
> idea.
> Have standby Suricata disable promiscuous mode on monitoring NICs (SPAN
> Ports). This way Suricata is running and I can (using a script) enable
> promiscuous mode and have my monitoring.
>
> Here are the issues:
> - Suricata doesnt work well when SPAN port nics have promiscious mode
> disabled. For example, when trying to stop it (or restart it) it hangs
> but eventually crashes with error ( <Error> - [ERRCODE:
> SC_ERR_FATAL(171)] - Engine unable to disable detect thread -
> "RxPFReth02". Killing engine)
> - Suricata live rule reload doesnt work. It just hangs there forever.
>
> Is there a way to tell Suricata (without restarting its service) not to
> store alerts on disk (ie unified2.alert)? Maybe that way it would be
> considered standby and no alerts will be generated even though it sees
> all of the traffic.
>
> Thanks.
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
/
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEbBAEBAgAGBQJTuvpoAAoJEKIFRYQsa8FWZhgH+MNO1LrOVQ2VwU1ndPMQf9zt
e5xUAtcAOsgVQ6HA2uCwmtNFzQiEQ13qctED1ojFPt/rjQXU1OCKR+wVLYhlLHjb
OOSt3cvg1D5y20++OcIz0e+gj/8hCIOaJWZH8OMvfKiWqJjnnig4k+yTlRFthupI
dt+W/QU5CI+n8TQ9AJ5DCfCMvKgiPqy0beo4Dn6n76704mAqZQHtU+vVzNvDCznt
V9NrdUf593Ql7Hq7gkvtjmhf5JoI9TXA+I9z/0k7H5Rg0Xy4R4B6XIaw9/9AP5tA
S7tlwjO8fUNR43GOz1pcM2XdrvVF37eTHKOWqmapVNJ8iPsKw129OkkVsfl4UA==
=6ITH
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list