[Oisf-users] AF_Packet Mode vs. NFQUEUE Mode

Leonard Jacobs ljacobs at netsecuris.com
Fri Nov 13 15:52:26 UTC 2015


Are you saying that NFQUEUE is not working so well in 2.0.9 so we should not use that IPS mode?

Leonard Jacobs
  _____  

From: Eric Leblond [mailto:eric at regit.org]
To: Leonard Jacobs [mailto:ljacobs at netsecuris.com], oisf-users at lists.openinfosecfoundation.org [mailto:oisf-users at lists.openinfosecfoundation.org]
Sent: Fri, 13 Nov 2015 07:37:51 -0600
Subject: Re: [Oisf-users] AF_Packet Mode vs. NFQUEUE Mode

Hello Leonard,
  
  On Fri, 2015-11-13 at 07:08 -0600, Leonard Jacobs wrote:
  > What happens if the interfaces are bridged when using AF_Packet mode?
  > Does that cause problems since this mode performs its own copy-mode
  > between interfaces?
  
  That would cause a duplication of packets:
   * Bridge forward packets from iface 1 to 2
   * Suricata see packets on iface 1 and copy packets on iface 2
  
  > In NFQUEUE IPS mode, are the interfaces supposed to be bridged?  Will
  > IPTables not function properly without the interfaces being bridged?
  
  No bridge needed. Using it is even the buggiest setup that can be done
  (currently unexplained packets loss in that mode).
  
  BR,
   
  > Thanks.
  >  
  > Leonard Jacobs
  >  
  > 
  >  
  > 
  >  
  > 
  >  
  > _______________________________________________
  > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
  > Site: http://suricata-ids.org | Support: http://suricata-ids.org/supp
  > ort/
  > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-u
  > sers
  > Suricata User Conference November 4 & 5 in Barcelona: http://oisfeven
  > ts.net
  -- 
  Eric Leblond <eric at regit.org>
  Blog: https://home.regit.org/
  
  
    
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151113/590caa3a/attachment-0002.html>


More information about the Oisf-users mailing list