[Zeek] Running Zeek & Suricata on Same Network Interface

Josh Liburdi liburdi.joshua at gmail.com
Sat Apr 20 11:32:26 PDT 2019 

I’d prefer to not speak too publicly about it without permission, but
there’s very little config magic involved. Performance increases were the
result of process isolation.

On Fri, Apr 19, 2019 at 6:06 PM Joe Blow <blackhole.em at gmail.com> wrote:

> Have you done any config magic? Docker compose?  What circumstances
> surrounded the performance increase?  I know a bunch of folks swear by pcap
> in containers, but I've never done 10gb+ in docker.
>
> Cheers,
>
> JB
>
> Sent via the BlackBerry Hub for Android
> <http://play.google.com/store/apps/details?id=com.blackberry.hub>
> *From:* liburdi.joshua at gmail.com
> *Sent:* April 19, 2019 7:35 PM
> *To:* patrick.kelley at criticalpathsecurity.com
> *Cc:* nothinrandom at gmail.com; zeek at zeek.org
> *Subject:* Re: [Zeek] Running Zeek & Suricata on Same Network Interface
>
> Not much to add to the conversation except to say that where I work we
> have a large Docker-based deployment and have observed no issues compared
> to our previous bare metal install (in some locations performance
> increased).
>
> On Fri, Apr 19, 2019 at 4:25 PM Patrick Kelley <
> patrick.kelley at criticalpathsecurity.com> wrote:
>
>> You are most welcome.
>>
>> As always, reach out if you have any questions.
>>
>> On Fri, Apr 19, 2019 at 7:20 PM TQ <nothinrandom at gmail.com> wrote:
>>
>>> Thank you Michal and Patrick!  I learned something new today and will
>>> take a look at your git repo. to learn more.  I currently have them both on
>>> docker for easy maintenance (reload if something goes wrong).  Have a great
>>> weekend!
>>>
>>> On Fri, Apr 19, 2019 at 4:15 PM Patrick Kelley <
>>> patrick.kelley at criticalpathsecurity.com> wrote:
>>>
>>>> Works fine.
>>>>
>>>> I've used a docker container once, for this purpose.  It did fine, but
>>>> like Michal, I don't recommend it.
>>>>
>>>> On Fri, Apr 19, 2019 at 7:10 PM Michał Purzyński <
>>>> michalpurzynski1 at gmail.com> wrote:
>>>>
>>>>> There is no need to use SR-IOV and other fancy features, everything
>>>>> just works. Not sure about docker, I don't use that for any
>>>>> production-worthy workload (for performance reasons, it corrupts data
>>>>> randomly, etc).
>>>>>
>>>>> Just use AF_Packet and use a different cluster_id for each and you
>>>>> will be fine. You can even use different number of threads (for Suri) and
>>>>> processes (for Zeek).
>>>>>
>>>>> The first part of SEPTun I wrote with Suricata devs might be useful
>>>>> for Zeek as well. And keep asking questions.
>>>>>
>>>>> https://github.com/pevma/SEPTun
>>>>> https://github.com/pevma/SEPTun-Mark-II/blob/master/README.md
>>>>>
>>>>> Sharing host between Suricata and Zeek is how we run our office
>>>>> sensors.
>>>>>
>>>>>
>>>>>
>>>>> On Sat, Apr 20, 2019 at 12:52 AM TQ <nothinrandom at gmail.com> wrote:
>>>>>
>>>>>> Hello All,
>>>>>>
>>>>>> Has anyone ran Zeek and Suricata (or something similar) off from the
>>>>>> same network interface; especially via docker?  If yes, did you see any
>>>>>> issues at all?  I shortly ran both off from the same interface, but wasn't
>>>>>> very sure due to minimum traffic.  Is it better to get a fancy Intel NIC
>>>>>> with SR-IOV feature and spawn off virtual interfaces?  Have a great weekend
>>>>>> all.
>>>>>>
>>>>>> Thanks,
>>>>>> _______________________________________________
>>>>>> Zeek mailing list
>>>>>> zeek at zeek.org
>>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>>>
>>>>> _______________________________________________
>>>>> Zeek mailing list
>>>>> zeek at zeek.org
>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> *Patrick Kelley, CISSP, C|EH, ITIL*
>>>> *CTO*
>>>> patrick.kelley at criticalpathsecurity.com
>>>> (o) 770-224-6482 <7702246482>
>>>>
>>>> *The limit to which you have accepted being comfortable is the limit to
>>>> which you have grown. Accept new challenges as an opportunity to enrich
>>>> yourself and not as a point of potential failure.*
>>>>
>>>>
>>>>
>>
>> --
>>
>> *Patrick Kelley, CISSP, C|EH, ITIL*
>> *CTO*
>> patrick.kelley at criticalpathsecurity.com
>> (o) 770-224-6482 <7702246482>
>>
>> *The limit to which you have accepted being comfortable is the limit to
>> which you have grown. Accept new challenges as an opportunity to enrich
>> yourself and not as a point of potential failure.*
>>
>>
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190420/e71df110/attachment.html

More information about the Zeek mailing list