[Oisf-users] nfqueue or af_packet for suricata ips

Eric Leblond eric at regit.org
Tue Mar 26 09:33:43 UTC 2013 

Hi,

On Tue, 2013-03-26 at 10:28 +0100, Heřbolt, Lukáš wrote:
> Hello,
> in CentOS is 2.6.32 version, but in remi repo is 3.8

3.8 should be ok for af_packet IPS mode.

> I have a question to IPS mode, if you use af_packet will suricata
> actually drop packet on drop rules?

Yes, it is a specific mode where suricata is making a layer-2 bridge by
using two interfaces. Being a bridge it can drop packet. Standard
af_packet mode (sniffing only) can't drop packets. 

More info here:
https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/

BR,

> 
> Thx
> Lukas
> 
> On 26 March 2013 10:25, Eric Leblond <eric at regit.org> wrote:
>         Hello,
>         
>         On Tue, 2013-03-26 at 09:03 +0000, C. L. Martinez wrote:
>         > Hi all,
>         >
>         >  Next month, I will setup my first suricata IPS to monitor a
>         1 GB
>         > network. AFAIK this can be accomplished using af_packet or
>         nfqueue in
>         > linux platforms. But, what is the best option for production
>         systems??
>         > (host will be CentOS 6.4 x86_64).
>         >
>         >  I see the following post from Eric:
>         > https://home.regit.org/2012/12/af-packet-oops/, and I don't
>         know if
>         > af_packet is the best option to use under this CentOS host.
>         
>         
>         Which kernel version is used in the CentOS you are running ?
>         
>         If too old, you will only have one capture thread
>         per-interface. If not
>         young enough you will crash if you have more than 1 thread...
>         
>         BR,
>         
>         > Thanks.
>         > _______________________________________________
>         > Suricata IDS Users mailing list:
>         oisf-users at openinfosecfoundation.org
>         > Site: http://suricata-ids.org | Support:
>         http://suricata-ids.org/support/
>         > List:
>         https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>         > OISF: http://www.openinfosecfoundation.org/
>         
>         
>         --
>         Eric Leblond <eric at regit.org>
>         Blog: https://home.regit.org/
>         
>         _______________________________________________
>         Suricata IDS Users mailing list:
>         oisf-users at openinfosecfoundation.org
>         Site: http://suricata-ids.org | Support:
>         http://suricata-ids.org/support/
>         List:
>         https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>         OISF: http://www.openinfosecfoundation.org/
>         
> 
> 
> 
> 
> -- 
> Lukáš Heřbolt
> Linux Administrator
> 
> 
> ET NETERA | smart e-business
> [a] Milady Horákové 108, 160 00 Praha 6
> [t] +420 725 267 158 [i] www.etnetera.cz 
> ~
> [www.ifortuna.cz  | www.o2.cz    | www.datart.cz ]
> [www.skodaplus.cz | www.nivea.cz | www.allianz.cz]
> 
> 
> 
> 
> Created by ET NETERA | Powered by jNetPublish

-- 
Eric Leblond <eric at regit.org>
Blog: https://home.regit.org/

More information about the Oisf-users mailing list