[Zeek] Running Zeek & Suricata on Same Network Interface

TQ nothinrandom at gmail.com
Fri Apr 19 16:20:14 PDT 2019 

Thank you Michal and Patrick!  I learned something new today and will take
a look at your git repo. to learn more.  I currently have them both on
docker for easy maintenance (reload if something goes wrong).  Have a great
weekend!

On Fri, Apr 19, 2019 at 4:15 PM Patrick Kelley <
patrick.kelley at criticalpathsecurity.com> wrote:

> Works fine.
>
> I've used a docker container once, for this purpose.  It did fine, but
> like Michal, I don't recommend it.
>
> On Fri, Apr 19, 2019 at 7:10 PM Michał Purzyński <
> michalpurzynski1 at gmail.com> wrote:
>
>> There is no need to use SR-IOV and other fancy features, everything just
>> works. Not sure about docker, I don't use that for any production-worthy
>> workload (for performance reasons, it corrupts data randomly, etc).
>>
>> Just use AF_Packet and use a different cluster_id for each and you will
>> be fine. You can even use different number of threads (for Suri) and
>> processes (for Zeek).
>>
>> The first part of SEPTun I wrote with Suricata devs might be useful for
>> Zeek as well. And keep asking questions.
>>
>> https://github.com/pevma/SEPTun
>> https://github.com/pevma/SEPTun-Mark-II/blob/master/README.md
>>
>> Sharing host between Suricata and Zeek is how we run our office sensors.
>>
>>
>>
>> On Sat, Apr 20, 2019 at 12:52 AM TQ <nothinrandom at gmail.com> wrote:
>>
>>> Hello All,
>>>
>>> Has anyone ran Zeek and Suricata (or something similar) off from the
>>> same network interface; especially via docker?  If yes, did you see any
>>> issues at all?  I shortly ran both off from the same interface, but wasn't
>>> very sure due to minimum traffic.  Is it better to get a fancy Intel NIC
>>> with SR-IOV feature and spawn off virtual interfaces?  Have a great weekend
>>> all.
>>>
>>> Thanks,
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
>
> --
>
> *Patrick Kelley, CISSP, C|EH, ITIL*
> *CTO*
> patrick.kelley at criticalpathsecurity.com
> (o) 770-224-6482
>
> *The limit to which you have accepted being comfortable is the limit to
> which you have grown. Accept new challenges as an opportunity to enrich
> yourself and not as a point of potential failure.*
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190419/f365ed52/attachment-0001.html

More information about the Zeek mailing list