Hello,
here’s my scenario:
I have a Kubernetes cluster with Calico as CNI, so it creates a caliXXXX interface for every pod added to a node.
I continuously monitor for newly added interfaces, for example because of a new pod added and so on.
Now, here’s the problem: is there a way to reload Suricata in order to add the new interfaces to be monitored, possibly while keeping the engine listening to the old interfaces during the reload?
Thanks in advance!
Could it be done with multi-tenancy registration ? cf 10.4. Multi Tenancy — Suricata 6.0.0 documentation
Hey, thanks for your answer!
From the docs page you linked, i read
For live traffic currently only a vlan based multi-tenancy is supported.
Is this possible anyway?
Maybe it works even if there is no vlan (because it just reloads the configuration)
That is what I would try…
Unfortunately, i had no luck.
What i did is:
suricata.yaml file i added the multi-detect section. Then, I started suricata with --af-packet option.suricata.yaml file adding in the af-packet section the interface i wanted to start monitoringsuricatasc -c "register-tenant 1 tenant1.yaml", and i received this kind of message: {"message": "adding tenant succeeded", "return": "OK"}
eve.json file nothing refers to that interface.So, looks like this is not possible yet cf Does Suricata monitor suricata.yaml for changes? - #2 by vjulien
A pull request is welcome if you can