[Oisf-users] Can't coax Suricata to listen on ETH1 exclusively

[Todd Howe]

Hello list;

New user here. I've installed Suricata on a Debian Jessie VM in a small testbed I'm setting up. The VM has two NICs, ETH0: on a noisy VSphere network 192.168.10.x for shelling in and internet access, and ETH1: which is in my test subnet. Ifconfig and ping confirm that these NICs are both up.

I can't get Suricata to stop listening on ETH0: and to listen _only_ on ETH1: (If it's relevant, I've set it to af-packet mode in /etc/default/suricata to avoid the check_nfqueue() bug)

I've tried the following:

- starting it up with the command 'suricata -c /etc/suricata/suricata.yaml -i eth1' as the docs advise
- changing every instance of '- interface: eth0' in /etc/suricata/suricata.yaml to '- interface: eth1'
- setting IFACE=eth1 in /etc/default/suricata despite the comment saying it's only for pcap because, well, I'm out of ideas

The logs fill up with garbage from ETH0: What could I be missing?

Thanks;
Todd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150226/51e4273e/attachment.html>