Suricata anda Port Mirroring

Diego_Valdes_Fernand · November 26, 2024, 3:01pm

Hello Suricata community,

I am designing a network where I need to implement Suricata to monitor multiple subnets. I have the option of setting up multiple Suricata instances, each in a subnet with port mirroring configured on the corresponding switches, or using a single Suricata instance with multiple network interfaces capturing traffic from all subnets through port mirroring on a central switch. I would like to know which option is better in terms of performance, scalability, and ease of management. Additionally, I’d like to understand the potential impacts on traffic analysis and how to handle issues like bandwidth saturation if the monitoring is concentrated on a single server.

Any help or guidance is greatly appreciated!

Jeff_Lucovsky · November 27, 2024, 3:32pm

Hi,

Many factors affect the different deployment options, centralized or distributed.

Some of them are:

performance expectations: bandwidth rates at distributed locations vs. centralizing
platform/machine resources: CPU, core count, memory, disk, NIC
Number of systems: small numbers of suricata instances could be manageable.

With any approach, Suricata should see both sides of the communication (client → server, server-> client).

It’s possible to build a system with 400Gbps of capability (SEPTun III will soon be available with details) but that may be far more than needed.

Topic		Replies	Views
Architecture help Help ips , community , centos	2	1245	November 29, 2020
Suricata running in AWS Help	2	631	October 5, 2021
Implementing Suricata in production environment Help community , suricata	1	4541	May 14, 2022
SPAN port configuration: duplicate packets Help	1	2003	July 9, 2021
Suricata port agnostic protocol detection at higher speed 100+Gbps	5	201	April 16, 2024

Suricata anda Port Mirroring

Related topics