[Oisf-users] Multiple Instances of Suricata for Different Outputs

[Kerry Milestone]

I wish to have different eve outputs for different groups yet all
heading to the same redis target, and onwards.

ie,

-o- with full URL or files, maybe extraction for certain hosts but not
others
-o- with full packet capture on alerts for some hosts/networks
-o- with SMTP extraction for specific grouped business units, but not others
-o- others things of current importance

With pfring, it shouldn't be too difficult to zero copy packets
efficiently to [kvm] separate machine running custom rulesets.

Is there a better way of doing this?

I've looked at the multi-tenant options, however splitting them out via
VLANs isn't a viable option.

Suggestions would be welcomed.

Kerry.




-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.