[Oisf-users] Inline Mode
Will Metcalf
william.metcalf at gmail.com
Fri Jan 22 22:58:48 UTC 2010
Ya except that we only support NFQUEUE so....
iptables -I FORWARD -i br0 -p all -j NFQUEUE
This sends everything to queue 0. I think the qid stuff needs to be fixed
still though. I will check and open a ticket if needed. Eventually the idea
is that we have multiple threads or Suricata processes dealing with
different traffic. Or maybe we re-implement some sort of queue load
balancer similar to what Dave Ramien from Nitro Security developed for
snort_inline. This is all possible because NFQUEUE allows you to have
multiple queue targets via the --queue-num option.
Regards,
Will
On Fri, Jan 22, 2010 at 4:43 PM, Brant Wells <bwells at tfc.edu> wrote:
> Hi All,
>
>
>
> I was just curious as to whether or not Suricata runs in Inline mode as an
> IPS now?
>
>
>
> If so, the –q parameter asks for a qid – is this an arbitrary number, or
> does it match up with something from say… iptables?
>
>
>
> To that end…. When I run Snort (in inline mode), I have to use
>
>
>
> iptables -I FORWARD -i br0 -p all -j QUEUE
>
>
>
> Do I need to run that for Suricata in inline mode as well?
>
>
>
> Thanks!
> ~Brant
>
>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100122/2c04251c/attachment-0002.html>
More information about the Oisf-users
mailing list