Some new features have recently reach Suricata’s git tree and will be available in the next development release. I’ve worked on some of them that I will describe here.
with 8 threads receiving packets on
Multi interfaces support and new running modes
Configuration updateIDS live mode in suricata (pcap, pf_ring, af_packet) now supports the capture on multiple interfaces. The syntax of the YAML configuration file has evolved and it is now possible to set per-interface variables. For example, it is possible to define
pfringconfiguration with the following syntax:
pfring: - interface: eth4 threads: 8 cluster-id: 99 cluster-type: cluster_flow - interface: eth1 threads: 2 cluster-id: 98 cluster-type: cluster_round_robinThis set different parameters for the
eth2interfaces. With that configuration, it the user launches suricata with
suricata -c suricata.yaml --pfringit will be listening on
eth4with a flow based load balancing and 2 threads on
eth3. If you want to run
suricataon a single interface, simply do:
suricata -c suricata.yaml --pfring=eth4This syntax can be used with the new AF_PACKET acquisition module describe below.
New running modesThe running modes have been extended by a new running mode available for
af_packetwhich is called workers. This mode starts a configurable number of threads which are doing all the treatment from packet acquisition to logging.
List of running modesHere is the list of current running modes:
auto: Multi threaded mode (available for all packet acquisition modules)
single: Single threaded mode (available in pcap, pcap file, pfring, af_packet)
workers: Workers mode (available in AF_PACKET and pfring)
autofp: Multi threaded mode. Packets from each flow are assigned to a single detect thread.
af_packet supportSuricata now supports acquisition via AF_PACKET. This linux packet acquisition socket has recently evolved and it supports now load balancing of the capture of an interface between userspace sockets. This module can be configured like show at the start of this post. It will run on almost any Linux but you will need a 3.0 kernel to be able to use the load balancing features.
suricata -c suricata.yaml --af-packet=eth4