Some new features have recently reach Suricata’s git tree
and will be available in the next development release. I’ve worked on some of them that I will describe here.
Multi interfaces support and new running modes
IDS live mode in suricata
(pcap, pf_ring, af_packet) now supports the capture on multiple interfaces. The syntax of the YAML configuration file has evolved and it is now possible to set per-interface variables.
For example, it is possible to define
configuration with the following syntax:
- interface: eth4
- interface: eth1
This set different parameters for the
interfaces. With that configuration, it the user launches suricata with
suricata -c suricata.yaml --pfring
it will be listening on
and with 8 threads receiving packets on
eth4 with a flow based load balancing and 2 threads on
If you want to run
suricata on a single interface, simply do:
suricata -c suricata.yaml --pfring=eth4
This syntax can be used with the new AF_PACKET acquisition module describe below.
New running modes
The running modes have been extended by a new running mode available for
af_packet which is called workers. This mode starts a configurable number of threads which are doing all the treatment from packet acquisition to logging.
List of running modes
Here is the list of current running modes:
auto: Multi threaded mode (available for all packet acquisition modules)
single: Single threaded mode (available in pcap, pcap file, pfring, af_packet)
workers: Workers mode (available in AF_PACKET and pfring)
autofp: Multi threaded mode. Packets from each flow are assigned to a single detect thread.
Suricata now supports acquisition via AF_PACKET. This linux packet acquisition socket has recently evolved and it supports now load balancing of the capture of an interface between userspace sockets. This module can be configured like show at the start of this post. It will run on almost any Linux but you will need a 3.0 kernel to be able to use the load balancing features.
suricata -c suricata.yaml --af-packet=eth4