Suricata is a very flexible and powerful multithreading IDS/IPS/NSM.
Here is a simple tutorial (tested on Debian/Ubuntu) of how to configure multiple interfaces for af-packet mode with Suricata (af-packet mode works by default/out of the box on kernels 3.2 and above). Lets say you would like to start simple IDSing with Suricata on eth1, eth2 and eth3 on a particular machine/server.
In your suricata.yaml config (usually located in /etc/suricata/) find the af-packet section and do the following:
af-packet:Of course feel free to adjust the ring-sizes (packet buffers) as you see fit for your particular set up.
- interface: eth2
threads: 16
cluster-id: 98
cluster-type: cluster_cpu
defrag: no
use-mmap: yes
ring-size: 200000
checksum-checks: kernel
- interface: eth1
threads: 2
cluster-id: 97
cluster-type: cluster_flow
defrag: no
use-mmap: yes
ring-size: 30000
- interface: eth3
threads: 2
cluster-id: 96
cluster-type: cluster_flow
defrag: no
use-mmap: yes
ring-size: 20000
NOTE: do not forget to use a different cluster-id
so now you can start suricata like so:
suricata -c /etc/suricata/suricata.yaml -v --af-packet
That above will start Suricata which will listen on eth2 with 16 threads with cluster_type: cluster_cpu and on eth1,eth3 with 2 threads each with cluster_type: cluster_flow. Have a look in your suricata.log file for more info.
If you would like to just test and see how it goes for eth2 only:
suricata -c /etc/suricata/suricata.yaml -v --af-packet=eth2
...easy and flexible.
No comments:
Post a Comment