This repository has been archived by the owner on Apr 16, 2021. It is now read-only.
AF PACKET
doug edited this page Aug 27, 2019
·
7 revisions
Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/AF-PACKET.
Starting in securityonion-setup - 20120912-0ubuntu0securityonion285, running Setup will configure Suricata and Bro to use AF_PACKET. (Snort will continue to use PF_RING for load balancing until Snort 3.0 is released.)
If you want to change the number of AF_PACKET workers after running Setup, you can do the following.
- Stop sensor processes:
sudo so-suricata-stop - Edit
/etc/nsm/$HOSTNAME-$INTERFACE/sensor.confand change theIDS_LB_PROCSvariable to desired number of cores. - Start sensor processes:
sudo so-suricata-start
so-suricata-start automatically copies $IDS_LB_PROCS into suricata.yaml and then Suricata creates the appropriate number of AF_PACKET workers.
For Bro, you would do the following:
- Stop bro:
sudo so-bro-stop - Edit
/opt/bro/etc/node.cfgand change thelb_procsvariable to the desired number of cores.
- Start bro:
sudo so-bro-start
- Introduction
- Use Cases
- Hardware Requirements
- Release Notes
- Download/Install
- Booting Issues
- After Installation
- UTC and Time Zones
- Services
- VirtualBox Walkthrough
- VMWare Walkthrough
- Videos
- Architecture
- Cheat Sheet
- Conference
- Elastic Stack
- Elastic Architecture
- Elasticsearch
- Logstash
- Kibana
- ElastAlert
- Curator
- FreqServer
- DomainStats
- Docker
- Redis
- Data Fields
- Beats
- Pre-Releases
- ELSA to Elastic
- Network Configuration
- Proxy Configuration
- Firewall/Hardening
- Email Configuration
- Integrating with other systems
- Changing IP Addresses
- NTP
- Managing Alerts
- Managing Rules
- Adding Local Rules
- Disabling Processes
- Filtering with BPF
- Adjusting PF_RING for traffic
- MySQL Tuning
- Adding a new disk
- High Performance Tuning
- Trimming PCAPs