<!DOCTYPE html PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'>
<html><head><meta http-equiv="Content-Type" content="text/html;charset=us-ascii">
<style>BODY{font:10pt Tahoma,Verdana,sans-serif} .MsoNormal{line-height:120%;margin:0}</style></head><body>
<DIV>af-packet is the other method to perform IPS without iptables. It has its own bridging built-in.</DIV>
<DIV> </DIV>
<DIV>See <A href="https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/" target=_blank defaultcontextmenu="yes">https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/</A>.</DIV>
<DIV> </DIV>
<DIV>But if you want to use more than one thread you will need to use a Linux kernel greater than 3.5.</DIV>
<DIV> </DIV>
<DIV>Leonard<BR>
<HR>
<B>From:</B> Victor Julien [mailto:lists@inliniac.net]<BR><B>To:</B> discussion@openinfosecfoundation.org<BR><B>Sent:</B> Tue, 09 Apr 2013 10:02:30 -0600<BR><B>Subject:</B> Re: [Discussion] Suricata 1.4.1 as an IPS : no logs in NFQUEUE mode<BR><BR>(in general, we use oisf-users for supporting user questions)<BR><BR>On 04/09/2013 04:11 PM, Michael Bouvy wrote:<BR>> Hi everyone,<BR>> <BR>> After a quick (and unsuccessful, because of poor perfs) experience with<BR>> Snort few years ago, I recently discovered Suricata which seems to fit<BR>> my needs.<BR>> <BR>> I installed it on my Debian (5.0 Lenny) from sources (1.4.1) and after<BR>> some configuration launched it : lots of log lines are now being written<BR>> in http.log, fast.log, etc., it works fine.<BR>> <BR>> As I'd like to use Suricata in IPS rather than IDS mode, I added a rule<BR>> in my iptables confiration to redirect all incoming trafic on port<BR>> HTTP/80 to NFQUEUE :<BR>> <BR>> iptables -A INPUT -p tcp --dport 80 -j NFQUEUE<BR><BR>Add:<BR>iptables -A OUTPUT -p tcp --sport 80 -j NFQUEUE<BR><BR>Otherwise you'll send only one side of the traffic to Suricata.<BR><BR>> <BR>> I then launched Suricata in NFQ mode (with -q 0, 0 matching the iptables<BR>> rule), but I couldn't see any new line in my logs, despite packet<BR>> quantity growing in iptables -vnL for the NFQUEUE rule, and in stats.log.<BR>> <BR>> NFQ mode is set as 'accept' in Suricata's configuration file.<BR>> <BR>> Is this a normal behavior of Suricata in NFQ mode ?<BR><BR>It is with your iptables rule :)<BR><BR>-- <BR>---------------------------------------------<BR>Victor Julien<BR><A href="http://www.inliniac.net/" target=_blank>http://www.inliniac.net/</A><BR>PGP: <A href="http://www.inliniac.net/victorjulien.asc" target=_blank>http://www.inliniac.net/victorjulien.asc</A><BR>---------------------------------------------<BR><BR>_______________________________________________<BR>Discussion mailing list<BR><A href="mailto:Discussion@openinfosecfoundation.org">Discussion@openinfosecfoundation.org</A><BR><A href="https://lists.openinfosecfoundation.org/mailman/listinfo/discussion" target=_blank>https://lists.openinfosecfoundation.org/mailman/listinfo/discussion</A><BR></DIV>
<STYLE>
</STYLE>
<DIV> </DIV>
<DIV> </DIV></body></html>