[Oisf-users] Suricata seperate Rx/Tx connection
Nelson, Cooper
cnelson at ucsd.edu
Wed Oct 30 15:53:06 UTC 2019
You answered your own question:
“We are using Arista switch as packet broker and mirroring Rx and Tx as Rx on two separate NIC Ports on the server. “
You only see separate RX and TX on a server NIC that is sending packets outbound. On a tap/monitor port everything is over the RX ports.
In fact, during my Bell Labs days I remember Steve Bellovin used to make special cables for their honeypots that had the TX line severed, so there was no possibility of an information leak or ‘fail open’ type scenario.
-Coop
From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> On Behalf Of mohammad kashif
Sent: Wednesday, October 30, 2019 5:14 AM
To: oisf-users at lists.openinfosecfoundation.org
Subject: [Oisf-users] Suricata seperate Rx/Tx connection
Hi
I am exploring Suricata as IDS for our 10Gbps setup. We are using Arista switch as packet broker and mirroring Rx and Tx as Rx on two separate NIC Ports on the server.
As suricata needs both side of flow to make sense of the traffic, what is the best way to present this two separate ports as one to suricata?
Previously snort was running on the same setup and was using pfring and it was running with option
-i eth0,eth1
Is that something similar in suricata or I am missing something obvious?
Regards
Kashif
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191030/49cd962b/attachment.html>
More information about the Oisf-users
mailing list