[Oisf-users] Suricata Clustering

Yasha Zislin coolyasha at hotmail.com
Mon Jul 7 19:53:35 UTC 2014


Good idea. Unfortunately, I dont control what gets bought here.

Thanks.

> Date: Mon, 7 Jul 2014 12:52:08 -0700
> From: cnelson at ucsd.edu
> To: coolyasha at hotmail.com; oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata Clustering
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I would just buy an Arista switch and mirror the traffic to multiple
> servers.
> 
> On 7/7/2014 12:36 PM, Yasha Zislin wrote:
> > Has anybody worked with Clustering multiple Suricata nodes to provide
> > High Availability and Fault Tolerance?
> > 
> > I have two Suricata nodes and was thinking about implementing
> > Active/Standby cluster. After some research I came up with the following
> > idea.
> > Have standby Suricata disable promiscuous mode on monitoring NICs (SPAN
> > Ports). This way Suricata is running and I can (using a script) enable
> > promiscuous mode and have my monitoring.
> > 
> > Here are the issues:
> > - Suricata doesnt work well when SPAN port nics have promiscious mode
> > disabled. For example, when trying to stop it (or restart it) it hangs
> > but eventually crashes with error ( <Error> - [ERRCODE:
> > SC_ERR_FATAL(171)] - Engine unable to disable detect thread -
> > "RxPFReth02".  Killing engine)
> > - Suricata live rule reload doesnt work. It just hangs there forever.
> > 
> > Is there a way to tell Suricata (without restarting its service) not to
> > store alerts on disk (ie unified2.alert)? Maybe that way it would be
> > considered standby and no alerts will be generated even though it sees
> > all of the traffic.
> > 
> > Thanks.
> > 
> > 
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
> > 
> /
> 
> - -- 
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iQEbBAEBAgAGBQJTuvpoAAoJEKIFRYQsa8FWZhgH+MNO1LrOVQ2VwU1ndPMQf9zt
> e5xUAtcAOsgVQ6HA2uCwmtNFzQiEQ13qctED1ojFPt/rjQXU1OCKR+wVLYhlLHjb
> OOSt3cvg1D5y20++OcIz0e+gj/8hCIOaJWZH8OMvfKiWqJjnnig4k+yTlRFthupI
> dt+W/QU5CI+n8TQ9AJ5DCfCMvKgiPqy0beo4Dn6n76704mAqZQHtU+vVzNvDCznt
> V9NrdUf593Ql7Hq7gkvtjmhf5JoI9TXA+I9z/0k7H5Rg0Xy4R4B6XIaw9/9AP5tA
> S7tlwjO8fUNR43GOz1pcM2XdrvVF37eTHKOWqmapVNJ8iPsKw129OkkVsfl4UA==
> =6ITH
> -----END PGP SIGNATURE-----
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140707/7d400942/attachment-0002.html>


More information about the Oisf-users mailing list