SELKS and multiple span ports
547 views
Skip to first unread message
Bartek Mazurczak
Mar 5, 2015, 2:54:31 AM3/5/15
to se...@googlegroups.com
Hi,
I have configuration with multiple interfaces, e.g.:
eth0 - access to internet (update rules)
eth1 - management
eth2 - span port from router1
eth3 - span port from router2
Currently I have configured only eth2 and work great. In what way I should configure both eth2 and eth3 ?
Eric Leblond
Mar 5, 2015, 3:39:17 AM3/5/15
to Bartek Mazurczak, se...@googlegroups.com
Hi,
You have to edit /etc/suricata/suricata.yaml. Here in the af-packet section, setup the new interfaces. The restart the suricata service.
BR,
--
IRC: Let's talk about SELKS on Freenode IRC on the #SELKS channel
Wiki: https://github.com/StamusNetworks/SELKS/wiki
GitHub: https://github.com/StamusNetworks/SELKS
Blog: https://www.stamus-networks.com/theblog/
Twitter: @StamusN
g+: Stamus Networks
---
You received this message because you are subscribed to the Google Groups "SELKS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to selks+un...@googlegroups.com.
To post to this group, send email to se...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Bartek Mazurczak
Mar 5, 2015, 6:40:19 AM3/5/15
to se...@googlegroups.com, mazur...@gmail.com, eleb...@stamus-networks.com
Something like this:
af-packet:
- interface: eth2
# Number of receive threads (>1 will enable experimental flow pinned
# runmode)
threads: 1
# Default clusterid. AF_PACKET will load balance packets based on flow.
# All threads/processes that will participate need to have the same
# clusterid.
cluster-id: 99
# Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
# This is only supported for Linux kernel > 3.1
# possible value are:
# * cluster_round_robin: round robin load balancing
# * cluster_flow: all packets of a given flow are send to the same socket
# * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
cluster-type: cluster_flow
# In some fragmentation case, the hash can not be computed. If "defrag" is set
# to yes, the kernel will do the needed defragmentation before sending the packets.
defrag: yes
# To use the ring feature of AF_PACKET, set 'use-mmap' to yes
use-mmap: yes
- interface: eth3
# Number of receive threads (>1 will enable experimental flow pinned
# runmode)
threads: 1
# Default clusterid. AF_PACKET will load balance packets based on flow.
# All threads/processes that will participate need to have the same
# clusterid.
cluster-id: 99
# Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
# This is only supported for Linux kernel > 3.1
# possible value are:
# * cluster_round_robin: round robin load balancing
# * cluster_flow: all packets of a given flow are send to the same socket
# * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
cluster-type: cluster_flow
# In some fragmentation case, the hash can not be computed. If "defrag" is set
# to yes, the kernel will do the needed defragmentation before sending the packets.
defrag: yes
# To use the ring feature of AF_PACKET, set 'use-mmap' to yes
use-mmap: yes
Eric Leblond
Mar 5, 2015, 7:05:32 AM3/5/15
to Bartek Mazurczak, se...@googlegroups.com, eleb...@stamus-networks.com
Hi,
On Thu, Mar 5, 2015 at 12:40 PM Bartek Mazurczak <mazur...@gmail.com> wrote:
Something like this:
yes, minor comment inline.
Use a different cluster-id than the one used in the other iface.
# Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.# This is only supported for Linux kernel > 3.1# possible value are:# * cluster_round_robin: round robin load balancing# * cluster_flow: all packets of a given flow are send to the same socket# * cluster_cpu: all packets treated in kernel by a CPU are send to the same socketcluster-type: cluster_flow# In some fragmentation case, the hash can not be computed. If "defrag" is set# to yes, the kernel will do the needed defragmentation before sending the packets.defrag: yes# To use the ring feature of AF_PACKET, set 'use-mmap' to yesuse-mmap: yes
BR,
Peter Manev
Mar 5, 2015, 7:07:39 AM3/5/15
to Bartek Mazurczak, se...@googlegroups.com, Eric Leblond
Hi Bartek,
Some suggestions:
You do not need the comment lines - but this is cosmetics.
Make sure you change the clsuter-id on the second (eth3) config
section is different - 98 for example
Depending on the number of CPUs you have - you can increase the
"threads" number in both eth config sections.
Make sure you follow the same specific "structure" - yaml is very
peculiar about newlines,spaces and indention.
thank you
--
Regards,
Peter Manev
Some suggestions:
You do not need the comment lines - but this is cosmetics.
Make sure you change the clsuter-id on the second (eth3) config
section is different - 98 for example
Depending on the number of CPUs you have - you can increase the
"threads" number in both eth config sections.
Make sure you follow the same specific "structure" - yaml is very
peculiar about newlines,spaces and indention.
thank you
Regards,
Peter Manev
Bartek Mazurczak
Mar 5, 2015, 7:56:40 AM3/5/15
to se...@googlegroups.com, mazur...@gmail.com, eleb...@stamus-networks.com
Thank you for suggestions,
Currently I have 6 core virtual machine, but maybe I'll move it to physical server with 2*4cores CPU
Now I have bigger problem, elasticsearch suddenly stops working
Here is elasticsearch.log http://pastebin.com/mDkxC2gQ
Eric Leblond
Mar 5, 2015, 8:19:40 AM3/5/15
to Bartek Mazurczak, se...@googlegroups.com, eleb...@stamus-networks.com
Hello,
On Thu, Mar 5, 2015 at 1:56 PM Bartek Mazurczak <mazur...@gmail.com> wrote:
Thank you for suggestions,Currently I have 6 core virtual machine, but maybe I'll move it to physical server with 2*4cores CPUNow I have bigger problem, elasticsearch suddenly stops workingHere is elasticsearch.log http://pastebin.com/mDkxC2gQ
Reading the log it seems you may have a old version of scirius. What version of SELKS are you running ? Did you recently do
apt-get update && apt-get dist-upgrade ?
If not can you do it ?
BR,
Bartek Mazurczak
Mar 5, 2015, 8:47:52 AM3/5/15
to se...@googlegroups.com, mazur...@gmail.com, eleb...@stamus-networks.com
Scirius show me in web gui Scirius v1.0-beta1
and yes, I can do apt-get update && apt-get dist-upgrade but probably later
and yes, I can do apt-get update && apt-get dist-upgrade but probably later
Eric Leblond
Mar 5, 2015, 8:51:59 AM3/5/15
to Bartek Mazurczak, se...@googlegroups.com, eleb...@stamus-networks.com
Hi,
On Thu, Mar 5, 2015 at 2:47 PM Bartek Mazurczak <mazur...@gmail.com> wrote:
Scirius show me in web gui Scirius v1.0-beta1
Ok, old version. That explains almost all logs messages.
and yes, I can do apt-get update && apt-get dist-upgrade but probably later
Please do it and follow the information on https://www.stamus-networks.com/2015/02/17/lets-talk-about-selks-1-2/ to upgrade your Elasticsearch.
It should really help to fix stability issues on ES side.
Bartek Mazurczak
Mar 5, 2015, 10:03:11 AM3/5/15
to se...@googlegroups.com, mazur...@gmail.com, eleb...@stamus-networks.com
I got SELKS 1.2 from scratch using ISO file
Now looks ok, but how I can verify that he listening on both interfaces eth2 and eth3 ?
Eric Leblond
Mar 5, 2015, 10:12:39 AM3/5/15
to Bartek Mazurczak, se...@googlegroups.com, eleb...@stamus-networks.com
Hi,
On Thu, Mar 5, 2015 at 4:03 PM Bartek Mazurczak <mazur...@gmail.com> wrote:
I got SELKS 1.2 from scratch using ISO fileNow looks ok, but how I can verify that he listening on both interfaces eth2 and eth3 ?
You can run suricatasc as root on SELKS and then use iface-list command. It should display the list of interfaces.
Bartek Mazurczak
Mar 6, 2015, 9:48:21 AM3/6/15
to se...@googlegroups.com, mazur...@gmail.com, eleb...@stamus-networks.com
Thank you!
Works perfect :)
Reply all
Reply to author
Forward
0 new messages