[Oisf-users] AF_Packet Mode vs. NFQUEUE Mode

Leonard Jacobs ljacobs at netsecuris.com
Fri Nov 13 15:52:26 UTC 2015

Are you saying that NFQUEUE is not working so well in 2.0.9 so we should not use that IPS mode?

Leonard Jacobs

From: Eric Leblond [mailto:eric at regit.org]
To: Leonard Jacobs [mailto:ljacobs at netsecuris.com], oisf-users at lists.openinfosecfoundation.org [mailto:oisf-users at lists.openinfosecfoundation.org]
Sent: Fri, 13 Nov 2015 07:37:51 -0600
Subject: Re: [Oisf-users] AF_Packet Mode vs. NFQUEUE Mode

Hello Leonard,
  On Fri, 2015-11-13 at 07:08 -0600, Leonard Jacobs wrote:
  > What happens if the interfaces are bridged when using AF_Packet mode?
  > Does that cause problems since this mode performs its own copy-mode
  > between interfaces?
  That would cause a duplication of packets:
   * Bridge forward packets from iface 1 to 2
   * Suricata see packets on iface 1 and copy packets on iface 2
  > In NFQUEUE IPS mode, are the interfaces supposed to be bridged?  Will
  > IPTables not function properly without the interfaces being bridged?
  No bridge needed. Using it is even the buggiest setup that can be done
  (currently unexplained packets loss in that mode).
  > Thanks.
  > Leonard Jacobs
  > _______________________________________________
  > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
  > Site: http://suricata-ids.org | Support: http://suricata-ids.org/supp
  > ort/
  > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-u
  > sers
  > Suricata User Conference November 4 & 5 in Barcelona: http://oisfeven
  > ts.net
  Eric Leblond <eric at regit.org>
  Blog: https://home.regit.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151113/590caa3a/attachment-0002.html>

More information about the Oisf-users mailing list