[Oisf-users] Launch suricata with PFRING support
Alvaro Alonso Jiménez
alvaroalo at gmail.com
Mon Sep 29 12:15:46 UTC 2014
Hi there,
I have compiled suricata with PFRING, and I want to launch it properly.
I have found the following documentation regarding the way Suricata needs
to be launched:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_with_PF_RING
More precisely:
*Start up Suricata with PF_RING support:*
*sudo /opt/PF_RING/bin/suricata --pfring-int=eth0 --pfring-cluster-id=99
--pfring-cluster-type=cluster_flow -c /etc/suricata/suricata.yaml*
In this sense, it seems there is no reference to -i option (using to
specify the interfaces which we have to use to sniff traffic). Let's assume
I want to use several interfaces to sniff traffic with PFRING
configuration. I have also found this other entry, which states that we
should specify a '-i' option for each interface we want to use to sniff
traffic
http://blog.inliniac.net/2010/12/24/listening-on-multiple-interfaces-with-suricata/
So, let's assume I want to use eth0 and eth1 to sniff traffic. How should I
launch suricata?
*OPTION 1*
/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 -i eth1
--pfring=eth0 --pfring=eth1
(suricata-start log traces shows that using multiple interfaces to sniff
traffic is a experimental feature, and suricata log traces show duplicated
information for eth0 and eth1)
*OPTION 2*
/usr/bin/suricata -c /etc/suricata/suricata.yaml --pfring=eth0 --pfring=eth1
*ANOTHER OPTION???*
Thank you very much in advance.
With kind regards,
Alvaro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140929/c1f9c31b/attachment-0001.html>
More information about the Oisf-users
mailing list