[Oisf-users] nfqueue or af_packet for suricata ips
C. L. Martinez
carlopmart at gmail.com
Tue Mar 26 10:24:34 UTC 2013
On Tue, Mar 26, 2013 at 10:01 AM, Stefan Sabolowitsch
<Stefan.Sabolowitsch at felten-group.com> wrote:
> Hi,
> I have here Centos 6 64bit with 3.8 Kernel and everything works without a
> problem.
>
> you can found this kernel here:
> http://elrepo.org/tiki/kernel-ml
>
> i need the 3.x kernel version to --queue-bypass (iptables) and fail-open
> (suricata) features
>
> an example:
> -A FORWARD -i br0 -j NFQUEUE --queue-num 1 --queue-bypass
>
> And please not forget this in sysctl.conf:
> net.bridge.bridge-nf-call-ip6tables = 1
> net.bridge.bridge-nf-call-iptables = 1
> net.bridge.bridge-nf-call-arptables = 1
> net.bridge.bridge-nf-filter-vlan-tagged = 1
>
> also maybe an important info:
> BPF filtering will not work in IPS / nfqueue mode.
>
> Thanks again here for this hints and tips from Victor, Eric and Peter
>
> Regards
> Stefan
>
> Am 26.03.2013 um 10:03 schrieb C. L. Martinez <carlopmart at gmail.com>:
>
> Hi all,
>
> Next month, I will setup my first suricata IPS to monitor a 1 GB
> network. AFAIK this can be accomplished using af_packet or nfqueue in
> linux platforms. But, what is the best option for production systems??
> (host will be CentOS 6.4 x86_64).
>
> I see the following post from Eric:
> https://home.regit.org/2012/12/af-packet-oops/, and I don't know if
> af_packet is the best option to use under this CentOS host.
>
Many thanks to all. I will try it with kernel version 3.8 ...
More information about the Oisf-users
mailing list