[Oisf-users] In-line
Will Metcalf
william.metcalf at gmail.com
Fri Jul 2 11:58:46 UTC 2010
> To run Suricata as IPS, we have to set it in-line asĀ Bridge, with 2 or 3
> interfaces,
> am i wrong ?
You can run it in NAT mode, or on an end host by queuing traffic to
your INPUT/OUTPUT chains. For example if you wanted to inspect
traffic going to a local web-server you can do something like
iptables -I INPUT -i lo -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -j NFQUEUE
iptables -I OUTPUT -p tcp --sport 80 -j NFQUEUE
> I've configure it to start when the interface is up, and it is managed by
> "network manager" in Ubuntu 10.4
> When i disconnect the interface, Suricata Stops, and vise versa
>
> but what should i do if i want to stop Suricata manually ?
you can always use something like "killall suricata".
If you are scripting startup and shutdown of daemon mode use the
--pidfile option
suricata -c suricata.yaml -i wlan0 -l ./ -D --pidfile=/var/run/suricata.pid
you can then do something like the following in a script
kill `cat /var/run/suricata.pid`
Regards,
Will
More information about the Oisf-users
mailing list