[Oisf-users] Can't coax Suricata to listen on ETH1 exclusively

Leonard Jacobs ljacobs at netsecuris.com
Fri Mar 20 23:11:37 UTC 2015

When using af-packet mode, you set the pair of interfaces used in that section of the suricata.yaml file and not in the command line to invoke suricata.
suricata -c /etc/suricata/suricata.yaml --af-packet
See https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/.
From: oisf-users-bounces at lists.openinfosecfoundation.org [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Todd Howe
Sent: Thursday, February 26, 2015 9:33 AM
To: oisf-users at lists.openinfosecfoundation.org
Subject: [Oisf-users] Can't coax Suricata to listen on ETH1 exclusively
Hello list;
New user here. I've installed Suricata on a Debian Jessie VM in a small testbed I'm setting up. The VM has two NICs, ETH0: on a noisy VSphere network 192.168.10.x for shelling in and internet access, and ETH1: which is in my test subnet. Ifconfig and ping confirm that these NICs are both up.
I can't get Suricata to stop listening on ETH0: and to listen _only_ on ETH1: (If it's relevant, I've set it to af-packet mode in /etc/default/suricata to avoid the check_nfqueue() bug)
I've tried the following:
- starting it up with the command 'suricata -c /etc/suricata/suricata.yaml -i eth1' as the docs advise
- changing every instance of '- interface: eth0' in /etc/suricata/suricata.yaml to '- interface: eth1'
- setting IFACE=eth1 in /etc/default/suricata despite the comment saying it's only for pcap because, well, I'm out of ideas
The logs fill up with garbage from ETH0: What could I be missing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150320/a9dda31d/attachment.html>

More information about the Oisf-users mailing list