[Oisf-users] NETMAP guide - suricata.yaml

elof2 at sentor.se elof2 at sentor.se
Thu Apr 7 14:09:35 UTC 2016

On Thu, 7 Apr 2016, Oliver Humpage wrote:
>> Do suricata really *have* to send the packet after processing?
>> Wouldn't it save some cpu cycles if suricata could be configured *not* to send the packet further, when running in IDS mode?
> Then no packets would ever get through your firewall.
> Netmap *moves* the packet straight from the NIC into userland memory, and gives it to a userland process such as suricata. If suricata doesn’t do something with that packet, then it disappears.
> In theory netmap is very efficient, so passing on the packet should take almost no effort at all.
> In other modes, you’re right: IDS takes a *copy* of the packet to inspect. But that’s not how netmap works. If you just want to look at copies, use pcap.

Ok, some clarification needed. :)

There are two ways to do IDS mode.
You are talking about an inspecting IDS firewall.
Sure, then the packets must be passed.

I'd rather call this an IPS with the blocking disabled.

When I speak of an IDS I mean a standalone sensor that is fed copies of 
the traffic via SPAN or a network tap.
The original packets are copies themselves, so after suricata has analyzed 
them they should immediately be discarded, not wasing a single cpu tick on 
sending the packet back to netmap, where the packet will be dropped later 
anyhow since I'm running the sniffer NIC in 'monitor' mode.

So... With a standalone IDS, do we really even need to specify any 
copy-interface in yaml?


More information about the Oisf-users mailing list