[Oisf-users] In-line

Anas.B a.bouhsaina at gmail.com
Tue Jul 6 10:25:46 UTC 2010 

Thanks Will,
"Doc" :  I mean about the configuration according to the emplacement
(NAT,Bridge,Host)

about the PID this is what i had !!!* :*
root at ubuntu:/home/user# suricata -c /etc/suricata/suricata.yaml -i eth0 -l
./ -D --pidfile=/var/log/suricata.pid
[2038] 6/7/2010 -- 11:01:13 - (suricata.c:453) <Info> (main) -- This is
Suricata version 0.9.0
[2038] 6/7/2010 -- 11:01:13 - (util-cpu.c:167) <Info> (UtilCpuPrintSummary)
-- CPUs Summary:
[2038] 6/7/2010 -- 11:01:13 - (util-cpu.c:169) <Info> (UtilCpuPrintSummary)
-- CPUs online: 1
[2038] 6/7/2010 -- 11:01:13 - (util-cpu.c:171) <Info> (UtilCpuPrintSummary)
-- CPUs configured 1
[2038] 6/7/2010 -- 11:01:13 - (output.c:61) <Info> (OutputRegisterModule) --
Output module "AlertFastLog" registered.
[2038] 6/7/2010 -- 11:01:13 - (output.c:61) <Info> (OutputRegisterModule) --
Output module "AlertDebugLog" registered.
[2038] 6/7/2010 -- 11:01:13 - (output.c:61) <Info> (OutputRegisterModule) --
Output module "AlertUnifiedLog" registered.
[2038] 6/7/2010 -- 11:01:13 - (output.c:61) <Info> (OutputRegisterModule) --
Output module "AlertUnifiedAlert" registered.
[2038] 6/7/2010 -- 11:01:13 - (output.c:61) <Info> (OutputRegisterModule) --
Output module "Unified2Alert" registered.
[2038] 6/7/2010 -- 11:01:13 - (output.c:61) <Info> (OutputRegisterModule) --
Output module "LogHttpLog" registered.
root at ubuntu:/home/user#


Question: I've configured Suricata to run just after the Interface is up,
and stops when the int is down,
what do you think about this script config ?? is it right !!?


Thank you.



2010/7/2 Will Metcalf <william.metcalf at gmail.com>

> On Fri, Jul 2, 2010 at 9:50 AM, Anas.B <a.bouhsaina at gmail.com> wrote:
> > Hi will,
> >
> > I need documentation about how to set suricata in-line
>
>
> http://www.inliniac.net/blog/2010/05/01/compiling-suricata-0-8-2-in-ubuntu-lucid-10-04-in-ips-inline-mode.html
>
> Anything moving across the bridge that isn't traffic bound for the
> host itself moves through the forward chain so if you wanted to sendWh
> all traffic moving across the bridge to suricata you would create a
> rule like
>
> iptables -A FORWARD -j NFQUEUE
>
> > Actually, i'm following this tuto :
> > http://openmaniak.com/fr/inline_bridge.php
> > that's why i talked about "bridge mode",
> >
> > You can run it in NAT mode, or on an end host
> >
> > How ? and what's the best to run Suricata in-line ?
>
> Just depends one what works best for your environment.
>
> > This example is for which mode ? (Nat,bridge,host !!!)
> > iptables -I INPUT -i lo -j ACCEPT
> > iptables -I INPUT -p tcp --dport 80 -j NFQUEUE
> > iptables -I OUTPUT -p tcp --sport 80 -j NFQUEUE
>
> This example would be for a host say running a webserver on port 80.
>
> Regards,
>
> Will
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100706/192552d6/attachment-0002.html>

More information about the Oisf-users mailing list