[Discussion] Questions about Suricata

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 05/19/2015 10:44 PM, Saxena, Samiksha wrote:
> 1.  I want to know is there a way to use api to
> update/modify suricata.yaml file? Or Is there a way to modify the yaml
> file using GUI?

I'm not aware of one.

> 2. Can I use same suricata instance to do both IDS (for L3,4) and IPS
> (for L3,L4,L7)?

Currently no.

> 3. Which is better NFQ or AF_Packet?

They are quite different: NFQ integrates with iptables/nftables and is
used in router setup.

Afpacket is used as an ethernet bridge. It can't be (usefully) mixed
with iptables.

> 4. If I use NFQ, how should I configure the iptables rules to
> forward the packets to Suricata IPS?

Use the NFQUEUE target. See
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Setting_up_IPSinline_for_Linux

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]