[Oisf-users] Suricata Clustering

Yasha Zislin coolyasha at hotmail.com
Mon Jul 7 19:52:22 UTC 2014 

Almost correct. Suricata is running but promiscuous mode is disabled on monitored interface which is a SPAN port.
So in that state, if I try to restart or stop Suricata with kill -15 1234  (where 1234 is the PID of Suricata), it will throw this error.

The problem with OS Clustering, is that Suricata service would have to be restarted. 

My goal is to have 0 loss in monitoring. If I have Suricata running on Stand By node, then it could be quick to flip them.

If there are no ideas, I'll have to think more about this.

Thanks for the input.

> Date: Mon, 7 Jul 2014 21:42:53 +0200
> Subject: Re: [Oisf-users] Suricata Clustering
> From: petermanev at gmail.com
> To: coolyasha at hotmail.com
> CC: oisf-users at lists.openinfosecfoundation.org
> 
> On Mon, Jul 7, 2014 at 9:36 PM, Yasha Zislin <coolyasha at hotmail.com> wrote:
> > Has anybody worked with Clustering multiple Suricata nodes to provide High
> > Availability and Fault Tolerance?
> >
> > I have two Suricata nodes and was thinking about implementing Active/Standby
> > cluster. After some research I came up with the following idea.
> > Have standby Suricata disable promiscuous mode on monitoring NICs (SPAN
> > Ports). This way Suricata is running and I can (using a script) enable
> > promiscuous mode and have my monitoring.
> >
> > Here are the issues:
> > - Suricata doesnt work well when SPAN port nics have promiscious mode
> > disabled. For example, when trying to stop it (or restart it) it hangs but
> > eventually crashes with error ( <Error> - [ERRCODE: SC_ERR_FATAL(171)] -
> > Engine unable to disable detect thread - "RxPFReth02".  Killing engine)
> > - Suricata live rule reload doesnt work. It just hangs there forever.
> 
> 
> The above described issue could be experienced when Suricata is
> stopped and there is no traffic on the mirror port.
> Is that the case?
> 
> >
> > Is there a way to tell Suricata (without restarting its service) not to
> > store alerts on disk (ie unified2.alert)? Maybe that way it would be
> > considered standby and no alerts will be generated even though it sees all
> > of the traffic.
> 
> I think if you are looking for "clustering solution" you should do
> that on the OS level... much easier and more flexible.
> 
> >
> > Thanks.
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
> 
> 
> 
> -- 
> Regards,
> Peter Manev
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140707/f8686f61/attachment-0002.html>

More information about the Oisf-users mailing list