Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
securityonion-setup - 20120912-0ubuntu0securityonion285, running Setup will configure Suricata and Bro to use AF_PACKET. (Snort will continue to use PF_RING for load balancing until Snort 3.0 is released.)
If you want to change the number of AF_PACKET workers after running Setup, you can do the following.
- Stop sensor processes:
/etc/nsm/$HOSTNAME-$INTERFACE/sensor.confand change the
IDS_LB_PROCSvariable to desired number of cores.
- Start sensor processes:
so-suricata-start automatically copies $IDS_LB_PROCS into suricata.yaml and then Suricata creates the appropriate number of AF_PACKET workers.
For Bro, you would do the following:
- Stop bro:
/opt/bro/etc/node.cfgand change the
lb_procsvariable to the desired number of cores.
- Start bro: