[Oisf-users] NETMAP guide - suricata.yaml

elof2 at sentor.se elof2 at sentor.se
Thu Apr 7 15:50:45 UTC 2016 

Should suricata have three copy-modes instead?

Something like this:

copy-modes:
   tap-dedicated   standalone-IDS, receiving mirrored traffic
   tap             inline-IDS, usually a firewall
   ips             inline-IPS

tap-dedicated:
   copy-iface: <discard|same>
     discard = suricata discard packets immediately after processing
     same    = suricata pass them through to the parent interface

That should shave off some unnecessary cpu cycles per packet, right?



...or even simplier, continue using the two modes 'tap' and 'ips' but let 
copy-iface be configured in multiple ways:
   copy-iface: <interface|interface+|same|discard>

/Elof



On Thu, 7 Apr 2016, Victor Julien wrote:

> On 07-04-16 16:51, Oliver Humpage wrote:
>>
>>> When I speak of an IDS I mean a standalone sensor that is fed copies of the traffic via SPAN or a network tap.
>>
>> Ahh, I see what you mean! If it’s possible to omit copy-iface, you’ll have to be very explicit in the documentation to say this is for separate, non-inline sensors, so users don’t get confused.
>
> I'd suggest the other way around. Passive IDS is by far the most common
> way of deployment for Suricata.
>
>
>> However, although I have a limited knowledge of C, line 203 onwards in https://github.com/inliniac/suricata/blob/master/src/runmode-netmap.c would suggest that it requires a copy-iface directive. I think the code was written with inline sensors in mind.
>
> I'm running netmap in passive IDS mode w/o that option on Linux. I don't
> think it will be different on FreeBSD.
>
> -- 
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net

More information about the Oisf-users mailing list