<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">
<div>Hi,</div>
<div><span style="white-space: pre-wrap;">I have here Centos 6 64bit with 3.8 Kernel and everything works without a problem.</span></div>
<div><span style="white-space: pre-wrap;"><br>
</span></div>
<div><span style="white-space: pre-wrap;">you can found this kernel here:</span></div>
<div><a href="http://elrepo.org/tiki/kernel-ml">http://elrepo.org/tiki/kernel-ml</a></div>
<div><br>
</div>
<div>i need the 3.x kernel version to --queue-bypass (iptables) and fail-open (suricata) features </div>
<div><br>
</div>
<div>an example:</div>
<div>-A FORWARD -i br0 -j NFQUEUE --queue-num 1 --queue-bypass</div>
<div><br>
</div>
<div>And please not forget this in sysctl.conf:</div>
<div>
<div>net.bridge.bridge-nf-call-ip6tables = 1</div>
<div>net.bridge.bridge-nf-call-iptables = 1</div>
<div>net.bridge.bridge-nf-call-arptables = 1</div>
<div>net.bridge.bridge-nf-filter-vlan-tagged = 1</div>
</div>
<div><br>
</div>
<div>also maybe an important info:</div>
<div>BPF filtering will not work in IPS / nfqueue mode. </div>
<div><br>
</div>
<div>Thanks again here for this hints and tips from Victor, Eric and Peter</div>
<div><br>
</div>
<div>Regards</div>
<div>Stefan</div>
<br>
<div>
<div>Am 26.03.2013 um 10:03 schrieb C. L. Martinez <<a href="mailto:carlopmart@gmail.com">carlopmart@gmail.com</a>>:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">Hi all,<br>
<br>
Next month, I will setup my first suricata IPS to monitor a 1 GB<br>
network. AFAIK this can be accomplished using af_packet or nfqueue in<br>
linux platforms. But, what is the best option for production systems??<br>
(host will be CentOS 6.4 x86_64).<br>
<br>
I see the following post from Eric:<br>
<a href="https://home.regit.org/2012/12/af-packet-oops/">https://home.regit.org/2012/12/af-packet-oops/</a>, and I don't know if<br>
af_packet is the best option to use under this CentOS host.<br>
<br>
Thanks.<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">
oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/">
http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/">http://www.openinfosecfoundation.org/</a><br>
<br>
</blockquote>
</div>
<br>
</body>
</html>