[Oisf-users] Suricata - vars and multiple interfaces
Victor Julien
lists at inliniac.net
Wed Aug 8 19:47:59 UTC 2018
On 07-08-18 17:52, Davide Setti wrote:
> You are right Victor! The problem was the "test config" option. Now it
> runs (at least without any error till now).
In https://github.com/OISF/suricata/pull/3448 the -T option should work
as you expected.
> Now I will test if everything works as expected.
>
> I will just ask you a little explanation: how are tenant-specific
> configuration handled against global configuratio? Does them completelly
> override global keys or its a partial override?
> IE: may I just define differents HOME_NET and EXTERNAL_NET, inheriting
> other configs (rule files, port vars, etc..) from globals or I need to
> define every element which could be tenant-specific even for shared ones
> (rules, ports, etc...)?
I've documented them here:
https://github.com/OISF/suricata/blob/a3caef78ea538c4362e71368be7fc1265bc47538/doc/userguide/configuration/multi-tenant.rst#per-tenant-settings
Cheers,
Victor
> Thanks,
> Davide
>
>
>
> 2018-08-07 15:40 GMT+02:00 Victor Julien <lists at inliniac.net
> <mailto:lists at inliniac.net>>:
>
> On 07-08-18 15:20, Davide Setti wrote:
> > Hi Victor,
> >
> > I just tested a sample configuration against that PR on Ubuntu
> 16.04 LTS
> > and I got a strange error.
> >
> > Here is my sample config (in shorts):
> >
> > af-packet:
> > - interface: eno2
> > threads: 1
> > cluster-id: 91
> > cluster-type: cluster_flow
> >
> > - interface: enp2s0f0
> > threads: 1
> > cluster-id: 92
> > cluster-type: cluster_flow
> >
> > multi-detect:
> > enabled: yes
> > selector: device
> > loaders: 2
> > tenants:
> > - id: 1
> > yaml: eno1.yaml
> > - id: 2
> > yaml: enp2s0f0.yaml
> >
> > mappings:
> > - device: eno2
> > tenant-id: 1
> > - device: enp2s0f0
> > tenant-id: 2
> >
> > Whenever I test it with multi-detect enabled I got an error reporting
> > that mapping device does not esixts.
>
> Does it work without the -T option? I haven't looked into it yet, but
> I'm guessing with -T the interfaces are not initialized in any way.
>
> In fact, with -T suricata doesn't even know which capture method you
> intend to use.
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> <http://www.inliniac.net/victorjulien.asc>
> ---------------------------------------------
>
>
>
>
> --
> <http://www.certego.net/>
> Davide Setti
> R&D and Incident Response Team, Certego
> <http://www.linkedin.com/company/certego> <http://twitter.com/Certego_IRT> <http://github.com/certego> <http://www.youtube.com/CERTEGOsrl> <http://plus.google.com/117641917176532015312>
>
> Use of the information within this document constitutes acceptance for
> use in an "as is" condition. There are no warranties with regard to this
> information; Certego has verified the data as thoroughly as possible.
> Any use of this information lies within the user's responsibility. In no
> event shall Certego be liable for any consequences or damages, including
> direct, indirect, incidental, consequential, loss of business profits or
> special damages, arising out of or in connection with the use or spread
> of this information.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list