[Oisf-users] Suricata Multiple Interfaces
Leonard Jacobs
ljacobs at netsecuris.com
Tue Nov 20 23:00:47 UTC 2018
We use four 1Gbps interfaces in af_packet mode (2 pairs) all the time with one instance of Suricata and everything works fine. The appliances we use has a single i7 processor and 8 gb of memory. The appliances we purchase have 6 interfaces but we have not tried 3 pairs because we reserve the 6th port for management/log collection.
We have been using af_packet mode from day one of using Suricata. (From what I remember, 3 to 4 years maybe 5. Basically, since af_packet has been available.) We have always used Ubuntu server.
These interfaces have bypass built in for power failure and with extra software installed can bypass for o/s failure.
Like I said before, have never had any problems except in the earlier days for us and used Atom processors. They worked great except when bandwidth increased. That is when we went to i7's.
And we have not tried 4.1 yet. Hopefully soon in test mode.
Leonard Jacobs
From: Kevin Branch <kevin at branchnetconsulting.com>
To: <jordon.carpenter at rooksecurity.com>
Cc: <oisf-users at lists.openinfosecfoundation.org>
Sent: 11/20/2018 4:30 PM
Subject: Re: [Oisf-users] Suricata Multiple Interfaces
I've used Suricata on 5 interfaces at once with good results, actually a separate instance per interface and multiple threads per instance, but all on the same physical box. I don't think the main limit is interface count but raw traffic volume to be processed. If you have
enough memory and cores to spread around, and your rule set is trimmed down well and your BPF filters are tuning out waste noise, you can do quite a bit of Suricata monitoring on a single box. Keep an eye on packet loss at the kernel and PF_RING levels, as well as CPU and memory utilization levels.
Kevin
On Tue, Nov 20, 2018 at 5:22 PM Jordon Carpenter <jordon.carpenter at rooksecurity.com> wrote:
Is there a limit on the amount of interfaces Suricata can Monitor? I have done two and have been successful, but needing to bump it up to 3. Currently using pf_ring and Suricata 4.1.
Thanks,
Jordon Carpenter
Rook Security
Anticipate, Manage, & Eliminate Threats
O: 888.712.9531 x734
E: jordon.carpenter at rooksecurity.com
This e-mail may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply e-mail and delete all copies of this message. _______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please notify Netsecuris management at mgmt at netsecuris.com. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Netsecuris Inc. The integrity and security of this message cannot be guaranteed on the Internet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181120/4ef988ae/attachment.html>
More information about the Oisf-users
mailing list