[Oisf-users] Suricata Multiple Interfaces

Kevin Branch kevin at branchnetconsulting.com
Tue Nov 20 22:30:54 UTC 2018

I've used Suricata on 5 interfaces at once with good results, actually a
separate instance per interface and multiple threads per instance, but all
on the same physical box.  I don't think the main limit is interface count
but raw traffic volume to be processed.  If you have
enough memory and cores to spread around, and your rule set is trimmed down
well and your BPF filters are tuning out waste noise, you can do quite a
bit of Suricata monitoring on a single box.  Keep an eye on packet loss at
the kernel and PF_RING levels, as well as CPU and memory utilization levels.


On Tue, Nov 20, 2018 at 5:22 PM Jordon Carpenter <
jordon.carpenter at rooksecurity.com> wrote:

> Is there a limit on the amount of interfaces Suricata can Monitor? I have
> done two and have been successful, but needing to bump it up to 3.
> Currently using pf_ring and Suricata 4.1.
> *Thanks,Jordon Carpenter*
> Rook Security <https://www.rooksecurity.com/>
> *Anticipate, Manage, & Eliminate Threats*
> O: 888.712.9531 x734 <(888)%20712-9531>
> E: jordon.carpenter at rooksecurity.com
> [image: rookteam] <https://www.facebook.com/rookteam>    [image:
> rooksecurity] <https://twitter.com/rooksecurity>    [image: Rook LinkedIn]
> <https://www.linkedin.com/company/rook-security>
> This e-mail may contain confidential and privileged material for the sole
> use of the intended recipient. Any review, use, distribution or disclosure
> by others is strictly prohibited. If you are not the intended recipient (or
> authorized to receive for the recipient), please contact the sender by
> reply e-mail and delete all copies of this message.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181120/12ced515/attachment.html>

More information about the Oisf-users mailing list