[Zeek] Running Zeek & Suricata on Same Network Interface

Patrick Kelley patrick.kelley at criticalpathsecurity.com
Fri Apr 19 16:15:04 PDT 2019


Works fine.

I've used a docker container once, for this purpose.  It did fine, but like
Michal, I don't recommend it.

On Fri, Apr 19, 2019 at 7:10 PM Michał Purzyński <michalpurzynski1 at gmail.com>
wrote:

> There is no need to use SR-IOV and other fancy features, everything just
> works. Not sure about docker, I don't use that for any production-worthy
> workload (for performance reasons, it corrupts data randomly, etc).
>
> Just use AF_Packet and use a different cluster_id for each and you will be
> fine. You can even use different number of threads (for Suri) and processes
> (for Zeek).
>
> The first part of SEPTun I wrote with Suricata devs might be useful for
> Zeek as well. And keep asking questions.
>
> https://github.com/pevma/SEPTun
> https://github.com/pevma/SEPTun-Mark-II/blob/master/README.md
>
> Sharing host between Suricata and Zeek is how we run our office sensors.
>
>
>
> On Sat, Apr 20, 2019 at 12:52 AM TQ <nothinrandom at gmail.com> wrote:
>
>> Hello All,
>>
>> Has anyone ran Zeek and Suricata (or something similar) off from the same
>> network interface; especially via docker?  If yes, did you see any issues
>> at all?  I shortly ran both off from the same interface, but wasn't very
>> sure due to minimum traffic.  Is it better to get a fancy Intel NIC with
>> SR-IOV feature and spawn off virtual interfaces?  Have a great weekend all.
>>
>> Thanks,
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



-- 

*Patrick Kelley, CISSP, C|EH, ITIL*
*CTO*
patrick.kelley at criticalpathsecurity.com
(o) 770-224-6482

*The limit to which you have accepted being comfortable is the limit to
which you have grown. Accept new challenges as an opportunity to enrich
yourself and not as a point of potential failure.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190419/b723ceca/attachment.html 


More information about the Zeek mailing list