[Oisf-users] nfqueue or af_packet for suricata ips

Heřbolt, Lukáš lukas.herbolt at etnetera.cz
Tue Mar 26 09:28:02 UTC 2013


Hello,
in CentOS is 2.6.32 version, but in remi repo is 3.8
I have a question to IPS mode, if you use af_packet will suricata actually
drop packet on drop rules?

Thx
Lukas

On 26 March 2013 10:25, Eric Leblond <eric at regit.org> wrote:

> Hello,
>
> On Tue, 2013-03-26 at 09:03 +0000, C. L. Martinez wrote:
> > Hi all,
> >
> >  Next month, I will setup my first suricata IPS to monitor a 1 GB
> > network. AFAIK this can be accomplished using af_packet or nfqueue in
> > linux platforms. But, what is the best option for production systems??
> > (host will be CentOS 6.4 x86_64).
> >
> >  I see the following post from Eric:
> > https://home.regit.org/2012/12/af-packet-oops/, and I don't know if
> > af_packet is the best option to use under this CentOS host.
>
> Which kernel version is used in the CentOS you are running ?
>
> If too old, you will only have one capture thread per-interface. If not
> young enough you will crash if you have more than 1 thread...
>
> BR,
>
> > Thanks.
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
>
> --
> Eric Leblond <eric at regit.org>
> Blog: https://home.regit.org/
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>



-- 
Lukáš Heřbolt
Linux Administrator

ET NETERA | smart e-business
[a] Milady Horákové 108, 160 00 Praha 6
[t] +420 725 267 158 [i] www.etnetera.cz
~
[www.ifortuna.cz  | www.o2.cz    | www.datart.cz ]
[www.skodaplus.cz | www.nivea.cz | www.allianz.cz]


Created by ET NETERA | Powered by jNetPublish
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130326/c2f851a0/attachment-0002.html>


More information about the Oisf-users mailing list