[Zeek] Running Zeek & Suricata on Same Network Interface

Patrick Kelley patrick.kelley at criticalpathsecurity.com
Fri Apr 19 16:23:17 PDT 2019 

You are most welcome.

As always, reach out if you have any questions.

On Fri, Apr 19, 2019 at 7:20 PM TQ <nothinrandom at gmail.com> wrote:

> Thank you Michal and Patrick!  I learned something new today and will take
> a look at your git repo. to learn more.  I currently have them both on
> docker for easy maintenance (reload if something goes wrong).  Have a great
> weekend!
>
> On Fri, Apr 19, 2019 at 4:15 PM Patrick Kelley <
> patrick.kelley at criticalpathsecurity.com> wrote:
>
>> Works fine.
>>
>> I've used a docker container once, for this purpose.  It did fine, but
>> like Michal, I don't recommend it.
>>
>> On Fri, Apr 19, 2019 at 7:10 PM Michał Purzyński <
>> michalpurzynski1 at gmail.com> wrote:
>>
>>> There is no need to use SR-IOV and other fancy features, everything just
>>> works. Not sure about docker, I don't use that for any production-worthy
>>> workload (for performance reasons, it corrupts data randomly, etc).
>>>
>>> Just use AF_Packet and use a different cluster_id for each and you will
>>> be fine. You can even use different number of threads (for Suri) and
>>> processes (for Zeek).
>>>
>>> The first part of SEPTun I wrote with Suricata devs might be useful for
>>> Zeek as well. And keep asking questions.
>>>
>>> https://github.com/pevma/SEPTun
>>> https://github.com/pevma/SEPTun-Mark-II/blob/master/README.md
>>>
>>> Sharing host between Suricata and Zeek is how we run our office sensors.
>>>
>>>
>>>
>>> On Sat, Apr 20, 2019 at 12:52 AM TQ <nothinrandom at gmail.com> wrote:
>>>
>>>> Hello All,
>>>>
>>>> Has anyone ran Zeek and Suricata (or something similar) off from the
>>>> same network interface; especially via docker?  If yes, did you see any
>>>> issues at all?  I shortly ran both off from the same interface, but wasn't
>>>> very sure due to minimum traffic.  Is it better to get a fancy Intel NIC
>>>> with SR-IOV feature and spawn off virtual interfaces?  Have a great weekend
>>>> all.
>>>>
>>>> Thanks,
>>>> _______________________________________________
>>>> Zeek mailing list
>>>> zeek at zeek.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>>
>>
>> --
>>
>> *Patrick Kelley, CISSP, C|EH, ITIL*
>> *CTO*
>> patrick.kelley at criticalpathsecurity.com
>> (o) 770-224-6482
>>
>> *The limit to which you have accepted being comfortable is the limit to
>> which you have grown. Accept new challenges as an opportunity to enrich
>> yourself and not as a point of potential failure.*
>>
>>
>>

-- 

*Patrick Kelley, CISSP, C|EH, ITIL*
*CTO*
patrick.kelley at criticalpathsecurity.com
(o) 770-224-6482

*The limit to which you have accepted being comfortable is the limit to
which you have grown. Accept new challenges as an opportunity to enrich
yourself and not as a point of potential failure.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190419/a4f4fc06/attachment.html

More information about the Zeek mailing list