[Oisf-users] nfqueue or af_packet for suricata ips
Eric Leblond
eric at regit.org
Tue Mar 26 09:46:25 UTC 2013
Hello,
On Tue, 2013-03-26 at 09:36 +0000, C. L. Martinez wrote:
> On Tue, Mar 26, 2013 at 9:28 AM, Heřbolt, Lukáš
> <lukas.herbolt at etnetera.cz> wrote:
> > Hello,
> > in CentOS is 2.6.32 version, but in remi repo is 3.8
> > I have a question to IPS mode, if you use af_packet will suricata actually
> > drop packet on drop rules?
> >
> > Thx
...
> >>
> >> > Thanks.
> >> > _______________________________________________
> >> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> > Site: http://suricata-ids.org | Support:
> >> > http://suricata-ids.org/support/
> >> > List:
> >> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> > OISF: http://www.openinfosecfoundation.org/
> >>
> >> --
>
> Like Lukas says, kernel version is 2.6.32 ... then, best option is to
> use nfqueues??
With that prehistoric kernel you can still use both solutions. You will
only be able to use one thread in af_packet IPS mode. Regarding NFQUEUE
mode, your kernel is recent enough to use queue-balance which will allow
you an easy multithreaded capture via queue-balance option (see
https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/ for some details).
BR,
--
Eric Leblond <eric at regit.org>
Blog: https://home.regit.org/
More information about the Oisf-users
mailing list