[Oisf-users] Question on multiple instances of Suricata
oliver at watershed.co.uk
Tue May 14 20:11:30 UTC 2019
> On 14 May 2019, at 20:46, Leonard Jacobs <ljacobs at netsecuris.com> wrote:
> Is it ok to install multiple instances of Suricata on a single computer? We want to run Suricata in both IPS mode and IDS mode on two different network segments (external and internal networks) but not sure how else to run the same rule set on the same
> computer in both modes except by running two instances of Suricata with separate yaml files.
FWIW we run multiple instances of suricata on one (FreeBSD) server, to get different rulesets on different interfaces. No problems at all - we just renamed the service scripts to be suricata_<iface_name> so their startup config can reference different yaml files. Obviously in the yaml files you need to set each instance to log to a different folder, listen on a different interface, etc.
There may be a way to do what you want with one instance, but multiple instances should work if not.
More information about the Oisf-users