[Oisf-users] Suricata seperate Rx/Tx connection
mohammad kashif
kashif.alig at gmail.com
Wed Oct 30 16:49:54 UTC 2019
Hi Cooper
Sorry for not asking the question correctly. As I understand, Suricata
needs both direction of flow in single instance to be able to analyse
traffic. In our case, we are using two interfaces say eth1 and eth2 for
traffic capture, so can I tell suricata to use both interface together and
how ?
Thanks and regards
Kashif
On Wed, Oct 30, 2019 at 3:53 PM Nelson, Cooper <cnelson at ucsd.edu> wrote:
> You answered your own question:
>
>
>
> “We are using Arista switch as packet broker and mirroring Rx and Tx as
> Rx on two separate NIC Ports on the server. “
>
>
>
> You only see separate RX and TX on a server NIC that is sending packets
> outbound. On a tap/monitor port everything is over the RX ports.
>
>
>
> In fact, during my Bell Labs days I remember Steve Bellovin used to make
> special cables for their honeypots that had the TX line severed, so there
> was no possibility of an information leak or ‘fail open’ type scenario.
>
>
>
> -Coop
>
>
>
> *From:* Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> *On
> Behalf Of *mohammad kashif
> *Sent:* Wednesday, October 30, 2019 5:14 AM
> *To:* oisf-users at lists.openinfosecfoundation.org
> *Subject:* [Oisf-users] Suricata seperate Rx/Tx connection
>
>
>
> Hi
>
>
>
> I am exploring Suricata as IDS for our 10Gbps setup. We are using Arista
> switch as packet broker and mirroring Rx and Tx as Rx on two separate NIC
> Ports on the server.
>
> As suricata needs both side of flow to make sense of the traffic, what is
> the best way to present this two separate ports as one to suricata?
>
>
>
> Previously snort was running on the same setup and was using pfring and it
> was running with option
>
> -i eth0,eth1
>
>
>
> Is that something similar in suricata or I am missing something obvious?
>
>
>
> Regards
>
>
>
> Kashif
>
>
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191030/2023e271/attachment-0001.html>
More information about the Oisf-users
mailing list