Introduction
------------
-Multi tenancy support allows for different rule sets with different
-rule vars. These tenants can then be assigned to VLANs or interfaces
-(devices).
+Multi tenancy support allows different tenants to use different
+rule sets with different rule variables.
+
+Tenants are identified by their `selector`; a `selector` can be
+a VLAN, interface/device, or from a pcap file ("direct").
YAML
----
-In the main ("master") YAML, the suricata.yaml, a new section called
-"multi-detect" should be added.
+Add a new section in the main ("master") Suricata configuration file -- ``suricata.yaml`` -- named ``multi-detect``.
Settings:
-* enabled: yes/no -> is multi-tenancy support enabled
-* default: yes/no -> is the normal detect config a default 'fall back' tenant?
-* selector: direct (for unix socket pcap processing, see below), vlan or device
-* loaders: number of 'loader' threads, for parallel tenant loading at startup
-* tenants: list of tenants
+* `enabled`: yes/no -> is multi-tenancy support enabled
+* `selector`: direct (for unix socket pcap processing, see below), VLAN or device
+* `loaders`: number of `loader` threads, for parallel tenant loading at startup
+* `tenants`: list of tenants
* id: tenant id (numeric values only)
* yaml: separate yaml file with the tenant specific settings
-* mappings:
+* `mappings`:
- * vlan id or device
- * tenant id: tenant to associate with the vlan id / device
+ * VLAN id or device: The outermost VLAN is used to match.
+ * tenant id: tenant to associate with the VLAN id or device
::
...
-vlanid
-~~~~~~
+vlan-id
+~~~~~~~
-Assign tenants to vlan id's.
+Assign tenants to VLAN ids. Suricata matches the outermost VLAN id with this value.
+Multiple VLANs can have the same tenant id. VLAN id values must be between 1 and 4094.
-Example of vlan mapping::
+Example of VLAN mapping::
mappings:
- vlan-id: 1000
The mappings can also be modified over the unix socket, see below.
-Note: can only be used if 'vlan.use-for-tracking' is enabled.
+Note: can only be used if ``vlan.use-for-tracking`` is enabled.
device
~~~~~~
Assign tenants to devices. A single tenant can be assigned to a device.
-Multiple devices can have the same tenant.
+Multiple devices can have the same tenant id.
Example of device mapping::
Registration
~~~~~~~~~~~~
-register-tenant <id> <yaml>
+``register-tenant <id> <yaml>``
Examples:
register-tenant 5 tenant-5.yaml
register-tenant 7 tenant-7.yaml
-unregister-tenant <id>
+``unregister-tenant <id>``
::
Unix socket runmode (pcap processing)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-The Unix Socket "pcap-file" command can be used to select the tenant
-to inspect the pcap against:
+The Unix Socket ``pcap-file`` command is used to associate the tenant with
+the pcap:
::
Live traffic mode
~~~~~~~~~~~~~~~~~
-For live traffic currently only a vlan based multi-tenancy is supported.
+Multi-tenancy supports both VLAN and devices with live traffic.
-The master yaml needs to have the selector set to "vlan".
+In the master configuration yaml file, specify ``device`` or ``vlan`` for the ``selector`` setting.
Registration
~~~~~~~~~~~~
-Tenants can be mapped to vlan id's.
+Tenants can be mapped to vlan ids.
-register-tenant-handler <tenant id> vlan <vlan id>
+``register-tenant-handler <tenant id> vlan <vlan id>``
::
register-tenant-handler 1 vlan 1000
-unregister-tenant-handler <tenant id> vlan <vlan id>
+``unregister-tenant-handler <tenant id> vlan <vlan id>``
::
projects / thirdparty / suricata.git / commitdiff
