[Oisf-users] Suricata seperate Rx/Tx connection
Nelson, Cooper
cnelson at ucsd.edu
Wed Oct 30 20:41:06 UTC 2019
Wow hit send instead of paste!
http://pevma.blogspot.com/2015/05/suricata-multiple-interface.html
From: Nelson, Cooper
Sent: Wednesday, October 30, 2019 1:41 PM
To: mohammad kashif <kashif.alig at gmail.com>
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: RE: [Oisf-users] Suricata seperate Rx/Tx connection
This is what we are doing using a port channel on the Arista. Rx and Tx traffic from the same host will be directed to the same RX interface of a single NIC on our sensor.
Basically all you have to do is tell suricata which runmode you are using, like –af-packet and then configure both interfaces in the suricata.yaml.
Check out this guide from the great pevma
From: mohammad kashif <kashif.alig at gmail.com<mailto:kashif.alig at gmail.com>>
Sent: Wednesday, October 30, 2019 9:50 AM
To: Nelson, Cooper <cnelson at ucsd.edu<mailto:cnelson at ucsd.edu>>
Cc: oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>
Subject: Re: [Oisf-users] Suricata seperate Rx/Tx connection
Hi Cooper
Sorry for not asking the question correctly. As I understand, Suricata needs both direction of flow in single instance to be able to analyse traffic. In our case, we are using two interfaces say eth1 and eth2 for traffic capture, so can I tell suricata to use both interface together and how ?
Thanks and regards
Kashif
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191030/5e793900/attachment-0001.html>
More information about the Oisf-users
mailing list