English Forums > Intrusion Detection and Prevention
LACP LAGG + Suricara
dave:
If you've got a LAGG interface, would you run Suricata on the parent interfaces in promisc mode, or the LAGG in promisc mode?
mimugmail:
Shouldnt it be on lagg without promisc when not using vlans?
franco:
I think running on LAGG is the way to going since we have native support for it, but Murat et al would know best...
Cheers,
Franco
dave:
I am using vlans.
Judging from top and Suricata's logs it's filtering the parent int's. Also uses a lot less CPU time compared to running on it on the LAGG.
However, I was torrenting (Ubuntu... obviously) and the LAGG collapsed and OPNSense died, had to cycle the power.
I've look through the logs but, tbh, nothing stood out; but i'm not sure what words to filter with / where to start.
I'm running the ET Pro Tele rule-sets, but i've only got a few enabled.
dave:
update on this. my internet connection keeled over just now. logged in to the GUI to find a huge memory leak, so had to cycle the power as even a reboot via serial wasnt working.
loggeg back in and thought i'd try switching Suricata from the igb's to lagg0 and found i can reliable get OPNSense to completly die within a minute with Suricata on the lagg.
i've got a copy of Putty's output if anyone's interested.
Navigation
[0] Message Index
[#] Next page
Go to full version