[Oisf-users] Suricata seperate Rx/Tx connection

Michał Purzyński michalpurzynski1 at gmail.com
Wed Oct 30 18:36:53 UTC 2019 

You don’t need to use two Ethernet interfaces if your taps come into a pocket broker.

Look at Arista TapAgg documentation 

> On Oct 30, 2019, at 9:50 AM, mohammad kashif <kashif.alig at gmail.com> wrote:
> 
> 
> Hi Cooper
> 
> Sorry for not asking the question correctly. As I understand, Suricata needs both direction of flow in single instance to be able to analyse traffic. In our case, we are using two interfaces say eth1 and eth2 for traffic capture, so can I tell suricata to use both interface together and how ?
> 
> Thanks and regards
> 
> Kashif
> 
> 
>> On Wed, Oct 30, 2019 at 3:53 PM Nelson, Cooper <cnelson at ucsd.edu> wrote:
>> You answered your own question:
>> 
>>  
>> 
>> “We are using Arista switch as packet broker and mirroring Rx and Tx as Rx on two separate NIC Ports on the server. “
>> 
>>  
>> 
>> You only see separate RX and TX on a server NIC that is sending packets outbound.  On a tap/monitor port everything is over the RX ports.
>> 
>>  
>> 
>> In fact, during my Bell Labs days I remember Steve Bellovin used to make special cables for their honeypots that had the TX line severed, so there was no possibility of an information leak or ‘fail open’ type scenario. 
>> 
>>  
>> 
>> -Coop
>> 
>>  
>> 
>> From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> On Behalf Of mohammad kashif
>> Sent: Wednesday, October 30, 2019 5:14 AM
>> To: oisf-users at lists.openinfosecfoundation.org
>> Subject: [Oisf-users] Suricata seperate Rx/Tx connection
>> 
>>  
>> 
>> Hi
>> 
>>  
>> 
>> I am exploring Suricata as IDS for our 10Gbps setup. We are using Arista switch as packet broker and mirroring Rx and Tx as Rx on two separate NIC Ports on the server. 
>> 
>> As suricata needs both side of flow to make sense of the traffic, what is the best way to present this two separate ports as one to suricata? 
>> 
>>  
>> 
>> Previously snort was running on the same setup and was using pfring and it was running with option 
>> 
>> -i eth0,eth1   
>> 
>>  
>> 
>> Is that something similar in suricata or I am missing something obvious?
>> 
>>  
>> 
>> Regards
>> 
>>  
>> 
>> Kashif
>> 
>>  
>> 
>>  
>> 
>>  
>> 
>>  
>> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191030/508527b1/attachment.html>

More information about the Oisf-users mailing list