AF PACKET

doug edited this page Feb 12, 2019 · 6 revisions

Please note! We are migrating our documentation to https://securityonion.net/docs/. You can find the latest version of this page at: https://securityonion.net/docs/AF-PACKET.

Setup

Starting in securityonion-setup - 20120912-0ubuntu0securityonion285, running Setup will configure Suricata and Bro to use AF_PACKET. (Snort will continue to use PF_RING for load balancing until Snort 3.0 is released.)

Tuning

If you want to change the number of AF_PACKET workers after running Setup, you can do the following.

Suricata

  • Stop sensor processes:
    sudo so-suricata-stop
  • Edit /etc/nsm/$HOSTNAME-$INTERFACE/sensor.conf and change the IDS_LB_PROCS variable to desired number of cores.
  • Start sensor processes:
    sudo so-suricata-start

so-suricata-start automatically copies $IDS_LB_PROCS into suricata.yaml and then Suricata creates the appropriate number of AF_PACKET workers.

Bro

For Bro, you would do the following:

  • Stop bro:
    sudo so-bro-stop
  • Edit /opt/bro/etc/node.cfg and change the lb_procs variable to the desired number of cores.
  • Start bro:
    sudo so-bro-start
Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.