[Oisf-users] nfqueue or af_packet for suricata ips
C. L. Martinez
carlopmart at gmail.com
Tue Mar 26 09:36:56 UTC 2013
On Tue, Mar 26, 2013 at 9:28 AM, Heřbolt, Lukáš
<lukas.herbolt at etnetera.cz> wrote:
> Hello,
> in CentOS is 2.6.32 version, but in remi repo is 3.8
> I have a question to IPS mode, if you use af_packet will suricata actually
> drop packet on drop rules?
>
> Thx
> Lukas
>
>
> On 26 March 2013 10:25, Eric Leblond <eric at regit.org> wrote:
>>
>> Hello,
>>
>> On Tue, 2013-03-26 at 09:03 +0000, C. L. Martinez wrote:
>> > Hi all,
>> >
>> > Next month, I will setup my first suricata IPS to monitor a 1 GB
>> > network. AFAIK this can be accomplished using af_packet or nfqueue in
>> > linux platforms. But, what is the best option for production systems??
>> > (host will be CentOS 6.4 x86_64).
>> >
>> > I see the following post from Eric:
>> > https://home.regit.org/2012/12/af-packet-oops/, and I don't know if
>> > af_packet is the best option to use under this CentOS host.
>>
>> Which kernel version is used in the CentOS you are running ?
>>
>> If too old, you will only have one capture thread per-interface. If not
>> young enough you will crash if you have more than 1 thread...
>>
>> BR,
>>
>> > Thanks.
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support:
>> > http://suricata-ids.org/support/
>> > List:
>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > OISF: http://www.openinfosecfoundation.org/
>>
>> --
Like Lukas says, kernel version is 2.6.32 ... then, best option is to
use nfqueues??
More information about the Oisf-users
mailing list