[Oisf-users] NETMAP guide - suricata.yaml

Cloherty, Sean E scloherty at mitre.org
Mon Apr 11 14:37:37 UTC 2016 

That looks like it would be an improvement for the app as well as clarifying the options a bit more to simplify understanding the ramifications for each.

-----Original Message-----
From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of elof2 at sentor.se
Sent: Thursday, April 07, 2016 11:51 AM
To: Victor Julien <lists at inliniac.net>
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] NETMAP guide - suricata.yaml


Should suricata have three copy-modes instead?

Something like this:

copy-modes:
   tap-dedicated   standalone-IDS, receiving mirrored traffic
   tap             inline-IDS, usually a firewall
   ips             inline-IPS

tap-dedicated:
   copy-iface: <discard|same>
     discard = suricata discard packets immediately after processing
     same    = suricata pass them through to the parent interface

That should shave off some unnecessary cpu cycles per packet, right?



...or even simplier, continue using the two modes 'tap' and 'ips' but let copy-iface be configured in multiple ways:
   copy-iface: <interface|interface+|same|discard>

/Elof



On Thu, 7 Apr 2016, Victor Julien wrote:

> On 07-04-16 16:51, Oliver Humpage wrote:
>>
>>> When I speak of an IDS I mean a standalone sensor that is fed copies of the traffic via SPAN or a network tap.
>>
>> Ahh, I see what you mean! If it’s possible to omit copy-iface, you’ll have to be very explicit in the documentation to say this is for separate, non-inline sensors, so users don’t get confused.
>
> I'd suggest the other way around. Passive IDS is by far the most 
> common way of deployment for Suricata.
>
>
>> However, although I have a limited knowledge of C, line 203 onwards in https://github.com/inliniac/suricata/blob/master/src/runmode-netmap.c would suggest that it requires a copy-iface directive. I think the code was written with inline sensors in mind.
>
> I'm running netmap in passive IDS mode w/o that option on Linux. I 
> don't think it will be different on FreeBSD.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: 
> http://suricata-ids.org/support/
> List: 
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net

More information about the Oisf-users mailing list