[Oisf-users] nfqueue or af_packet for suricata ips
Stefan Sabolowitsch
Stefan.Sabolowitsch at felten-group.com
Tue Mar 26 10:01:58 UTC 2013
Hi,
I have here Centos 6 64bit with 3.8 Kernel and everything works without a problem.
you can found this kernel here:
http://elrepo.org/tiki/kernel-ml
i need the 3.x kernel version to --queue-bypass (iptables) and fail-open (suricata) features
an example:
-A FORWARD -i br0 -j NFQUEUE --queue-num 1 --queue-bypass
And please not forget this in sysctl.conf:
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-filter-vlan-tagged = 1
also maybe an important info:
BPF filtering will not work in IPS / nfqueue mode.
Thanks again here for this hints and tips from Victor, Eric and Peter
Regards
Stefan
Am 26.03.2013 um 10:03 schrieb C. L. Martinez <carlopmart at gmail.com<mailto:carlopmart at gmail.com>>:
Hi all,
Next month, I will setup my first suricata IPS to monitor a 1 GB
network. AFAIK this can be accomplished using af_packet or nfqueue in
linux platforms. But, what is the best option for production systems??
(host will be CentOS 6.4 x86_64).
I see the following post from Eric:
https://home.regit.org/2012/12/af-packet-oops/, and I don't know if
af_packet is the best option to use under this CentOS host.
Thanks.
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130326/a7045e64/attachment-0002.html>
More information about the Oisf-users
mailing list