[Oisf-users] Fwd: Suricata multi tenancy questions

Anoop Saxena anoopath at gmail.com
Mon Feb 15 12:09:00 UTC 2016


Hi Team,

We have been working on setting up Suricata for some time and have been
able to get it to work for a single tenant.

the data is sent using sflow protocol to my Ubuntu VM where we are using
sflow tool to decap the flow to pcap, which is further given to Suricata
using below command

sflowtool -p 6346 -t | suricata -r - -c Suricata.yaml

We have multiple servers sending sflow data to centralized Suricata VM
(single NIC)
the goal is to segregate traffic based on source
.
How can we segregate or have Multitenancy based multiple source.

I referred to following link
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Multi_Tenancy

that talks about using VLAN-IDs , but this doesn't suit our requirement.

JFYI, we have traffic in terabytes and the n.w is huge so we don't have
specific place in the n/w to install IDS system.

thanks
Anoop Saxena
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160215/cfa6f99e/attachment.html>


More information about the Oisf-users mailing list