Some new features have recently reach Suricata’s git tree and will be available in the next development release. I’ve worked on some of them that I will describe here.
Multi interfaces support and new running modes
Configuration update
IDS live mode in suricata (pcap, pf_ring, af_packet) now supports the capture on multiple interfaces. The syntax of the YAML configuration file has evolved and it is now possible to set per-interface variables.
For example, it is possible to define pfring
configuration with the following syntax:
pfring:
- interface: eth4
threads: 8
cluster-id: 99
cluster-type: cluster_flow
- interface: eth1
threads: 2
cluster-id: 98
cluster-type: cluster_round_robin
This set different parameters for the eth4
and eth2
interfaces. With that configuration, it the user launches suricata with
suricata -c suricata.yaml --pfring
it will be listening on eth4
and with 8 threads receiving packets on eth4
with a flow based load balancing and 2 threads on eth3
.
If you want to run suricata
on a single interface, simply do:
suricata -c suricata.yaml --pfring=eth4
This syntax can be used with the new AF_PACKET acquisition module describe below.
New running modes
The running modes have been extended by a new running mode available for pfring
and af_packet
which is called workers. This mode starts a configurable number of threads which are doing all the treatment from packet acquisition to logging.
List of running modes
Here is the list of current running modes:
auto
: Multi threaded mode (available for all packet acquisition modules)
single
: Single threaded mode (available in pcap, pcap file, pfring, af_packet)
workers
: Workers mode (available in AF_PACKET and pfring)
autofp
: Multi threaded mode. Packets from each flow are assigned to a single detect thread.
af_packet support
Suricata now supports acquisition via AF_PACKET. This linux packet acquisition socket has recently evolved and it supports now load balancing of the capture of an interface between userspace sockets. This module can be configured like show at the start of this post. It will run on almost any Linux but you will need a 3.0 kernel to be able to use the load balancing features.
suricata -c suricata.yaml --af-packet=eth4