[Zeek] Running Zeek & Suricata on Same Network Interface

ivan ninichuck ipninichuck at gmail.com
Sun Apr 21 21:11:16 PDT 2019


For learning more about using these tools at scale in a container
environment take a look at this video from last years convention.
https://www.youtube.com/watch?v=jFT5QV6pft0

On Sat, Apr 20, 2019 at 1:40 PM Joe Blow <blackhole.em at gmail.com> wrote:

> You should get permission then, especially if there is very little
> (proprietary) magic involved.  You brought this up publicly, not me. We're
> all just trying to better the community as a whole. If you learned
> something useful about optimizing open source network capture software via
> docker. I'm sure I'm not the only person who is interested in exactly how.
>
> Cheers,
>
> JB
>
> On Sat, Apr 20, 2019 at 2:32 PM Josh Liburdi <liburdi.joshua at gmail.com>
> wrote:
>
>> I’d prefer to not speak too publicly about it without permission, but
>> there’s very little config magic involved. Performance increases were the
>> result of process isolation.
>>
>> On Fri, Apr 19, 2019 at 6:06 PM Joe Blow <blackhole.em at gmail.com> wrote:
>>
>>> Have you done any config magic? Docker compose?  What circumstances
>>> surrounded the performance increase?  I know a bunch of folks swear by pcap
>>> in containers, but I've never done 10gb+ in docker.
>>>
>>> Cheers,
>>>
>>> JB
>>>
>>> Sent via the BlackBerry Hub for Android
>>> <http://play.google.com/store/apps/details?id=com.blackberry.hub>
>>> *From:* liburdi.joshua at gmail.com
>>> *Sent:* April 19, 2019 7:35 PM
>>> *To:* patrick.kelley at criticalpathsecurity.com
>>> *Cc:* nothinrandom at gmail.com; zeek at zeek.org
>>> *Subject:* Re: [Zeek] Running Zeek & Suricata on Same Network Interface
>>>
>>> Not much to add to the conversation except to say that where I work we
>>> have a large Docker-based deployment and have observed no issues compared
>>> to our previous bare metal install (in some locations performance
>>> increased).
>>>
>>> On Fri, Apr 19, 2019 at 4:25 PM Patrick Kelley <
>>> patrick.kelley at criticalpathsecurity.com> wrote:
>>>
>>>> You are most welcome.
>>>>
>>>> As always, reach out if you have any questions.
>>>>
>>>> On Fri, Apr 19, 2019 at 7:20 PM TQ <nothinrandom at gmail.com> wrote:
>>>>
>>>>> Thank you Michal and Patrick!  I learned something new today and will
>>>>> take a look at your git repo. to learn more.  I currently have them both on
>>>>> docker for easy maintenance (reload if something goes wrong).  Have a great
>>>>> weekend!
>>>>>
>>>>> On Fri, Apr 19, 2019 at 4:15 PM Patrick Kelley <
>>>>> patrick.kelley at criticalpathsecurity.com> wrote:
>>>>>
>>>>>> Works fine.
>>>>>>
>>>>>> I've used a docker container once, for this purpose.  It did fine,
>>>>>> but like Michal, I don't recommend it.
>>>>>>
>>>>>> On Fri, Apr 19, 2019 at 7:10 PM Michał Purzyński <
>>>>>> michalpurzynski1 at gmail.com> wrote:
>>>>>>
>>>>>>> There is no need to use SR-IOV and other fancy features, everything
>>>>>>> just works. Not sure about docker, I don't use that for any
>>>>>>> production-worthy workload (for performance reasons, it corrupts data
>>>>>>> randomly, etc).
>>>>>>>
>>>>>>> Just use AF_Packet and use a different cluster_id for each and you
>>>>>>> will be fine. You can even use different number of threads (for Suri) and
>>>>>>> processes (for Zeek).
>>>>>>>
>>>>>>> The first part of SEPTun I wrote with Suricata devs might be useful
>>>>>>> for Zeek as well. And keep asking questions.
>>>>>>>
>>>>>>> https://github.com/pevma/SEPTun
>>>>>>> https://github.com/pevma/SEPTun-Mark-II/blob/master/README.md
>>>>>>>
>>>>>>> Sharing host between Suricata and Zeek is how we run our office
>>>>>>> sensors.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Sat, Apr 20, 2019 at 12:52 AM TQ <nothinrandom at gmail.com> wrote:
>>>>>>>
>>>>>>>> Hello All,
>>>>>>>>
>>>>>>>> Has anyone ran Zeek and Suricata (or something similar) off from
>>>>>>>> the same network interface; especially via docker?  If yes, did you see any
>>>>>>>> issues at all?  I shortly ran both off from the same interface, but wasn't
>>>>>>>> very sure due to minimum traffic.  Is it better to get a fancy Intel NIC
>>>>>>>> with SR-IOV feature and spawn off virtual interfaces?  Have a great weekend
>>>>>>>> all.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> _______________________________________________
>>>>>>>> Zeek mailing list
>>>>>>>> zeek at zeek.org
>>>>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Zeek mailing list
>>>>>>> zeek at zeek.org
>>>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> *Patrick Kelley, CISSP, C|EH, ITIL*
>>>>>> *CTO*
>>>>>> patrick.kelley at criticalpathsecurity.com
>>>>>> (o) 770-224-6482 <7702246482>
>>>>>>
>>>>>> *The limit to which you have accepted being comfortable is the limit
>>>>>> to which you have grown. Accept new challenges as an opportunity to enrich
>>>>>> yourself and not as a point of potential failure.*
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>> --
>>>>
>>>> *Patrick Kelley, CISSP, C|EH, ITIL*
>>>> *CTO*
>>>> patrick.kelley at criticalpathsecurity.com
>>>> (o) 770-224-6482 <7702246482>
>>>>
>>>> *The limit to which you have accepted being comfortable is the limit to
>>>> which you have grown. Accept new challenges as an opportunity to enrich
>>>> yourself and not as a point of potential failure.*
>>>>
>>>>
>>>> _______________________________________________
>>>> Zeek mailing list
>>>> zeek at zeek.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>
>>> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



-- 
Ivan Paul Ninichuck
714-388-9614
ipninichuck at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190421/1c4090a7/attachment.html 


More information about the Zeek mailing list