[Oisf-users] Suricata seperate Rx/Tx connection

mohammad kashif kashif.alig at gmail.com
Fri Nov 1 10:38:41 UTC 2019 

Hi Cooper, Michal

Thanks for your help. I have some further clarification.
>>  On a tap/monitor port everything is over the RX ports.
If both RX and TX ports are fully utilising upto !0G then sending almost
20G on a single 10G RX channel will likely lead to oversubscription and
packet loss. Is this observation correct?

>> http://pevma.blogspot.com/2015/05/suricata-multiple-interface.html
 As I mentioned earlier, I have RX on eth1 and TX on eth2. So in the above
configuration, should I use separate cluster ID for both eth1 and eth2 and
somehow suricata will know how to make sense of flow .

Regards

Kashif





On Wed, Oct 30, 2019 at 8:41 PM Nelson, Cooper <cnelson at ucsd.edu> wrote:

> Wow hit send instead of paste!
>
>
>
> http://pevma.blogspot.com/2015/05/suricata-multiple-interface.html
>
>
>
> *From:* Nelson, Cooper
> *Sent:* Wednesday, October 30, 2019 1:41 PM
> *To:* mohammad kashif <kashif.alig at gmail.com>
> *Cc:* oisf-users at lists.openinfosecfoundation.org
> *Subject:* RE: [Oisf-users] Suricata seperate Rx/Tx connection
>
>
>
> This is what we are doing using a port channel on the Arista.   Rx and Tx
> traffic from the same host will be directed to the same RX interface of a
> single NIC on our sensor.
>
>
>
> Basically all you have to do is tell suricata which runmode you are using,
> like –af-packet and then configure both interfaces in the suricata.yaml.
>
>
>
> Check out this guide from the great pevma
>
>
>
> *From:* mohammad kashif <kashif.alig at gmail.com>
> *Sent:* Wednesday, October 30, 2019 9:50 AM
> *To:* Nelson, Cooper <cnelson at ucsd.edu>
> *Cc:* oisf-users at lists.openinfosecfoundation.org
> *Subject:* Re: [Oisf-users] Suricata seperate Rx/Tx connection
>
>
>
> Hi Cooper
>
>
>
> Sorry for not asking the question correctly. As I understand, Suricata
> needs both direction of flow in single instance to be able to analyse
> traffic. In our case, we are using two interfaces say eth1 and eth2 for
> traffic capture, so can I tell suricata to use both interface together and
> how ?
>
>
>
> Thanks and regards
>
>
>
> Kashif
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191101/c0ec3699/attachment.html>

More information about the Oisf-users mailing list