Project

General

Profile

Actions

Feature #1750

open

Set Suricata to listen to all network interfaces when using AF_PACKET

Added by Lars Kulseng over 5 years ago. Updated over 2 years ago.

Status:
New
Priority:
Normal
Target version:
Effort:
medium
Difficulty:
medium
Label:

Description

In a scenario where you have a lot of network interfaces, and not enough resources to start a Suricata instance for each interface, it would be beneficial to allow Suricata to listen to all ports at once.

This can be achieved by setting sll.sll_ifindex to 0 before binding to the interface with bind() [1]. When reading from the ring buffer, each frame will have the sockaddr_ll struct inside it, allowing for extraction of the interface that the frame came in on. [2]

[1] http://man7.org/linux/man-pages/man2/bind.2.html
[2] https://www.kernel.org/doc/Documentation/networking/packet_mmap.txt

Actions #1

Updated by Victor Julien over 5 years ago

  • Target version set to TBD
Actions #2

Updated by Victor Julien over 5 years ago

  • Status changed from New to Assigned
  • Assignee set to Eric Leblond
Actions #3

Updated by Eric Leblond about 3 years ago

  • Assignee changed from Eric Leblond to Anonymous
Actions #4

Updated by Victor Julien about 3 years ago

  • Status changed from Assigned to New
  • Effort set to medium
  • Difficulty set to medium
Actions #5

Updated by Andreas Herz over 2 years ago

  • Assignee set to Community Ticket
Actions

Also available in: Atom PDF