[Oisf-devel] suricata af-packet IPS mode can't record drop.log
Eric Leblond
eric at regit.org
Fri Sep 19 10:06:39 UTC 2014
Hello,
On Fri, 2014-09-19 at 08:36 +0000, 李志强1(研七 福州) wrote:
> Hi,
>
> When I set suricata run with af-packet ips mode, I found it can’t
> record “drop.log” or drop log within eve.log.
>
>
>
> I found the source code don’t support this. When it record drop log,
> the engine must run ENGINE_MODE_IPS, but this only when NFQ and IPFW
> mode set this value.
Thanks for the report. I've just opened the following ticket to address
this issue: https://redmine.openinfosecfoundation.org/issues/1284
Here's the explanation and proposed solution:
AF_PACKET is not setting the engine mode to IPS when some interfaces are
peered. This is due to the fact, it is possible to peer 2 interfaces and
run an IPS on them and have a third one that is running in normal IDS
mode.
Unwanted side effect is that there is no drop log. An other side effect
is that stream-inline is not activated automatically when AF_PACKET is
used in IPS mode.
For backward compatibility we can not assume that a configuration with
mixed IPS and IDS interfaces is wrong. So a solution is to do the
following:
If af-packet is full IPS, we set IPS mode and this will activate stream
inline.
If af-packet is in mixed mode, we add a warning message stating that
this is not a good idea.
I will work on it today. The fix should be available soon.
BR,
--
Eric Leblond <eric at regit.org>
More information about the Oisf-devel
mailing list