[Oisf-users] Suricata seperate Rx/Tx connection

Amar amar at countersnipe.com
Fri Nov 1 15:19:25 UTC 2019 

      
  

  
  
Could bonding be the solution here. Bond eth1 and 2 and simply monitor the bond.   
  

  
  
On Nov 1, 2019 at 4:08 PM,  <mohammad kashif (mailto:kashif.alig at gmail.com)>  wrote:
  
>   
>
>   
>   
> Hi Cooper, Michal  
>
>   
> Thanks for your help. I have some further clarification.
>   
> >>    On a tap/monitor port everything is over the RX ports.   
>   
> If both RX and TX ports are fully utilising upto !0G then sending almost 20G on a single 10G RX channel will likely lead to oversubscription and packet loss. Is this observation correct?
>   
>
>   
> >>   http://pevma.blogspot.com/2015/05/suricata-multiple-interface.html   
>   
>   As I mentioned earlier, I have RX on eth1 and TX on eth2. So in the above    configuration, should I use separate cluster ID for both eth1 and eth2 and somehow suricata will know how to make sense of flow .
>   
>
>   
> Regards
>   
>
>   
> Kashif   
>   
>
>   
>
>   
>   
>   
>
>     
>   
>   
> On Wed, Oct 30, 2019 at 8:41 PM Nelson, Cooper  <cnelson at ucsd.edu (mailto:cnelson at ucsd.edu)>  wrote:
>   
> >   
> >   
> >   
> >
> >  Wow hit send instead of paste!
> >
> >   
> >
> >     
> >
> >   
> >
> > http://pevma.blogspot.com/2015/05/suricata-multiple-interface.html
> >
> >   
> >
> >     
> >
> >   
> >   
> >   
> >
> > From:   Nelson, Cooper
> >   Sent:  Wednesday, October 30, 2019 1:41 PM
> >   To:  mohammad kashif  <kashif.alig at gmail.com (mailto:kashif.alig at gmail.com)>
> >   Cc:   oisf-users at lists.openinfosecfoundation.org (mailto:oisf-users at lists.openinfosecfoundation.org)
> >   Subject:  RE: [Oisf-users] Suricata seperate Rx/Tx connection
> >
> >   
> >   
> >   
> >
> >   
> >
> >   
> >
> >  This is what we are doing using a port channel on the Arista.      Rx and Tx traffic from the same host will be directed to the same RX interface of a single NIC on our sensor.
> >
> >   
> >
> >     
> >
> >   
> >
> >  Basically all you have to do is tell suricata which runmode you are using, like –af-packet and then configure both interfaces in the suricata.yaml.     
> >
> >   
> >
> >     
> >
> >   
> >
> >  Check out this guide from the great pevma
> >
> >   
> >
> >     
> >
> >   
> >
> > From:   mohammad kashif  <kashif.alig at gmail.com (mailto:kashif.alig at gmail.com)>
> >   Sent:  Wednesday, October 30, 2019 9:50 AM
> >   To:  Nelson, Cooper  <cnelson at ucsd.edu (mailto:cnelson at ucsd.edu)>
> >   Cc:   oisf-users at lists.openinfosecfoundation.org (mailto:oisf-users at lists.openinfosecfoundation.org)
> >   Subject:  Re: [Oisf-users] Suricata seperate Rx/Tx connection
> >
> >   
> >
> >   
> >
> >   
> >   
> >
> > Hi Cooper
> >
> >   
> >   
> >
> >   
> >
> >   
> >   
> >   
> >
> > Sorry for not asking the question correctly. As I understand, Suricata needs both direction of flow in single instance to be able to analyse traffic. In our case, we are using two interfaces   say eth1 and eth2 for traffic capture, so can I tell suricata to use both interface   together and how ?
> >
> >   
> >   
> >   
> >
> >   
> >
> >   
> >   
> >   
> >
> > Thanks and regards
> >
> >   
> >   
> >   
> >
> >   
> >
> >   
> >   
> >   
> >
> > Kashif
> >
> >   
> >   
> >   
> >
> >   
> >
> >   
> >   
> >   
> >   
> > >   
> > >   
> > >   
> > >   
> > >   
> > >
> > >   
> > >
> > >   
> > >   
> > >   
> > >   
> > >   
> >   
> >   
> >   
> >   
>   
>   
>   
  
  
     
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191101/7117e8c1/attachment.html>

More information about the Oisf-users mailing list