Suricata – multiple interface configuration with af-packet

Suricata is a very flexible and powerful multithreading  IDS/IPS/NSM.

Here is a simple tutorial (tested on Debian/Ubuntu) of how to configure multiple interfaces for af-packet mode with Suricata (af-packet mode works by default/out of the box on kernels 3.2 and above). Lets say you would like to start simple IDSing with Suricata on eth1, eth2 and eth3 on a particular machine/server.

In your suricata.yaml config (usually located in /etc/suricata/) find the af-packet section and do the following:

af-packet:
  – interface: eth2
    threads: 16
    cluster-id: 98
    cluster-type: cluster_cpu
    defrag: no
    use-mmap: yes
    ring-size: 200000
    checksum-checks: kernel
  – interface: eth1
    threads: 2
    cluster-id: 97
    cluster-type: cluster_flow
    defrag: no
    use-mmap: yes
    ring-size: 30000
  – interface: eth3
    threads: 2
    cluster-id: 96
    cluster-type: cluster_flow
    defrag: no
    use-mmap: yes
    ring-size: 20000

Of course feel free to adjust the ring-sizes (packet buffers) as you see fit for your particular set up.
NOTE:  do not forget to use a different cluster-id

so now you can start suricata like so:

suricata -c /etc/suricata/suricata.yaml -v –af-packet 

That above will start Suricata which will listen on eth2 with 16 threads with cluster_type: cluster_cpu and on eth1,eth3 with 2 threads each with cluster_type: cluster_flow. Have a look in your suricata.log file for more info.

If you would like to just test and see how it goes for eth2 only:

suricata -c /etc/suricata/suricata.yaml -v –af-packet=eth2

…easy and flexible.

Print Share Comment Cite Upload Translate

APA

() » Suricata – multiple interface configuration with af-packet. Retrieved from https://www.truth.cx/2015/05/21/suricata-multiple-interface-configuration-with-af-packet/.

MLA

" » Suricata – multiple interface configuration with af-packet." - , https://www.truth.cx/2015/05/21/suricata-multiple-interface-configuration-with-af-packet/

HARVARD

» Suricata – multiple interface configuration with af-packet., viewed ,

VANCOUVER

- » Suricata – multiple interface configuration with af-packet. [Internet]. [Accessed ]. Available from: https://www.truth.cx/2015/05/21/suricata-multiple-interface-configuration-with-af-packet/

CHICAGO

" » Suricata – multiple interface configuration with af-packet." - Accessed . https://www.truth.cx/2015/05/21/suricata-multiple-interface-configuration-with-af-packet/

IEEE

" » Suricata – multiple interface configuration with af-packet." [Online]. Available: https://www.truth.cx/2015/05/21/suricata-multiple-interface-configuration-with-af-packet/. [Accessed: ]

Select a language: Afrikaans Albanian Arabic Armenian Basque Bengali Bulgarian Catalan Cambodian Chinese (Mandarin) Croatian Czech Danish Dutch English Estonian Fiji Finnish French Georgian German Greek Gujarati Hebrew Hindi Hungarian Icelandic Indonesian Irish Italian Japanese Javanese Korean Latin Latvian Lithuanian Macedonian Malay Malayalam Maltese Maori Marathi Mongolian Nepali Norwegian Persian Polish Portuguese Punjabi Quechua Romanian Russian Samoan Serbian Slovak Slovenian Spanish Swahili Swedish Tamil Tatar Telugu Thai Tibetan Tonga Turkish Ukrainian Urdu Uzbek Vietnamese Welsh Xhosa <br /><br />Suricata is a very flexible and powerful multithreading  IDS/IPS/NSM. <br /><br />Here is a simple tutorial (tested on Debian/Ubuntu) of how to configure multiple interfaces for af-packet mode with Suricata (af-packet mode works by default/out of the box on kernels 3.2 and above). Lets say you would like to start simple IDSing with Suricata on eth1, eth2 and eth3 on a particular machine/server.<br /><br /><br />In your suricata.yaml config (usually located in <i>/etc/suricata/</i>) find the af-packet section and do the following:<br /><br /><br /><blockquote class="tr_bq">af-packet:<br />  - interface: eth2<br />    threads: 16<br />   <b> cluster-id: 98</b><br />    cluster-type: cluster_cpu<br />    defrag: no<br />    use-mmap: yes<br />    ring-size: 200000<br />    checksum-checks: kernel<br />  - interface: eth1<br />    threads: 2<br />    <b>cluster-id: 97</b><br />    cluster-type: cluster_flow<br />    defrag: no<br />    use-mmap: yes<br />    ring-size: 30000<br />  - interface: eth3<br />    threads: 2<br />    <b>cluster-id: 96</b><br />    cluster-type: cluster_flow<br />    defrag: no<br />    use-mmap: yes<br />    ring-size: 20000</blockquote>Of course feel free to adjust the <i>ring-sizes</i> (packet buffers) as you see fit for your particular set up.<br /><b>NOTE:</b>  do not forget to use a different cluster-id<br /><br />so now you can start suricata like so:<br /><br /><blockquote class="tr_bq">suricata -c /etc/suricata/suricata.yaml -v --af-packet </blockquote><br />That above will start Suricata which will listen on eth2 with 16 threads with <i>cluster_type: cluster_cpu</i> and on eth1,eth3 with 2 threads each with <i>cluster_type: cluster_flow</i>. Have a look in your suricata.log file for more info.<br /><br />If you would like to just test and see how it goes for eth2 only: <br /><blockquote class="tr_bq">suricata -c /etc/suricata/suricata.yaml -v --af-packet=eth2 </blockquote><br />...easy and flexible. <br /><br /><br /><br /><br /><br /><br /><br /> First name:

Last name: