Hello,<div>in CentOS is 2.6.32 version, but in remi repo is 3.8</div><div>I have a question to IPS mode, if you use af_packet will suricata actually drop packet on drop rules?</div><div><br></div><div>Thx</div><div>Lukas<br>
<br><div class="gmail_quote">On 26 March 2013 10:25, Eric Leblond <span dir="ltr"><<a href="mailto:eric@regit.org" target="_blank">eric@regit.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello,<br>
<div class="im"><br>
On Tue, 2013-03-26 at 09:03 +0000, C. L. Martinez wrote:<br>
> Hi all,<br>
><br>
> Next month, I will setup my first suricata IPS to monitor a 1 GB<br>
> network. AFAIK this can be accomplished using af_packet or nfqueue in<br>
> linux platforms. But, what is the best option for production systems??<br>
> (host will be CentOS 6.4 x86_64).<br>
><br>
> I see the following post from Eric:<br>
> <a href="https://home.regit.org/2012/12/af-packet-oops/" target="_blank">https://home.regit.org/2012/12/af-packet-oops/</a>, and I don't know if<br>
> af_packet is the best option to use under this CentOS host.<br>
<br>
</div>Which kernel version is used in the CentOS you are running ?<br>
<br>
If too old, you will only have one capture thread per-interface. If not<br>
young enough you will crash if you have more than 1 thread...<br>
<br>
BR,<br>
<div class="im HOEnZb"><br>
> Thanks.<br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
<br>
</div><span class="HOEnZb"><font color="#888888">--<br>
Eric Leblond <<a href="mailto:eric@regit.org">eric@regit.org</a>><br>
Blog: <a href="https://home.regit.org/" target="_blank">https://home.regit.org/</a><br>
</font></span><div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div><div>Lukáš Heřbolt</div><div>Linux Administrator</div><div><br></div><div>ET NETERA | smart e-business</div><div>[a] Milady Horákové 108, 160 00 Praha 6</div>
<div>[t] +420 725 267 158 [i] <a href="http://www.etnetera.cz" target="_blank">www.etnetera.cz</a> </div><div>~</div><div>[<a href="http://www.ifortuna.cz" target="_blank">www.ifortuna.cz</a> | <a href="http://www.o2.cz" target="_blank">www.o2.cz</a> | <a href="http://www.datart.cz" target="_blank">www.datart.cz</a> ]</div>
<div>[<a href="http://www.skodaplus.cz" target="_blank">www.skodaplus.cz</a> | <a href="http://www.nivea.cz" target="_blank">www.nivea.cz</a> | <a href="http://www.allianz.cz" target="_blank">www.allianz.cz</a>]</div><div>
<br></div><div><br></div><div>Created by ET NETERA | Powered by jNetPublish</div></div>
</div>