Running Zeek & Suricata on Same Network Interface

Zeek
1

Hello All,

Has anyone ran Zeek and Suricata (or something similar) off from the same network interface; especially via docker? If yes, did you see any issues at all? I shortly ran both off from the same interface, but wasn’t very sure due to minimum traffic. Is it better to get a fancy Intel NIC with SR-IOV feature and spawn off virtual interfaces? Have a great weekend all.

Thanks,

2

There is no need to use SR-IOV and other fancy features, everything just works. Not sure about docker, I don’t use that for any production-worthy workload (for performance reasons, it corrupts data randomly, etc).

Just use AF_Packet and use a different cluster_id for each and you will be fine. You can even use different number of threads (for Suri) and processes (for Zeek).

The first part of SEPTun I wrote with Suricata devs might be useful for Zeek as well. And keep asking questions.

https://github.com/pevma/SEPTun

https://github.com/pevma/SEPTun-Mark-II/blob/master/README.md

Sharing host between Suricata and Zeek is how we run our office sensors.

3

Works fine.

I’ve used a docker container once, for this purpose. It did fine, but like Michal, I don’t recommend it.

4

Thank you Michal and Patrick! I learned something new today and will take a look at your git repo. to learn more. I currently have them both on docker for easy maintenance (reload if something goes wrong). Have a great weekend!

5

You are most welcome.

As always, reach out if you have any questions.

6

Not much to add to the conversation except to say that where I work we have a large Docker-based deployment and have observed no issues compared to our previous bare metal install (in some locations performance increased).

7

Have you done any config magic? Docker compose? What circumstances surrounded the performance increase? I know a bunch of folks swear by pcap in containers, but I’ve never done 10gb+ in docker.

Cheers,

JB



From: liburdi.joshua@gmail.com
Sent: April 19, 2019 7:35 PM
To: patrick.kelley@criticalpathsecurity.com
Cc: nothinrandom@gmail.com; zeek@zeek.org
Subject: Re: [Zeek] Running Zeek & Suricata on Same Network Interface

|

  • |

Not much to add to the conversation except to say that where I work we have a large Docker-based deployment and have observed no issues compared to our previous bare metal install (in some locations performance increased).

8

I’d prefer to not speak too publicly about it without permission, but there’s very little config magic involved. Performance increases were the result of process isolation.

9

You should get permission then, especially if there is very little (proprietary) magic involved. You brought this up publicly, not me. We’re all just trying to better the community as a whole. If you learned something useful about optimizing open source network capture software via docker. I’m sure I’m not the only person who is interested in exactly how.

Cheers,

JB

10

For learning more about using these tools at scale in a container environment take a look at this video from last years convention. https://www.youtube.com/watch?v=jFT5QV6pft0