[Oisf-users] Suricata inspects all packets?
Andreas Herz
andi at geekosphere.org
Wed May 11 11:10:44 UTC 2016
On 10/05/16 at 16:57, Vishal Kotalwar V wrote:
> Hi,
> I am new to IPS/IDS and netfilter framework. I have a query on packet handling by suricata & netfilter.
>
> In IPS mode, we add iptables rule to pass packets to NFQ on which suricata is listening. Suricata processes those packets and issues verdict for that flow.
> Does netfilter send packets from same flow to suricata even after verdict is given? I would assume that conntrack would kick-in here to bypass the queuing for optimization ...
> is that right? But conntrack is not mandatory for suricata/netfilter functioning.
Unless you filter some packets by state using the ctstate match, you
should see all packets. That depends on your ruleset for netfilter, but
as long as every packet from FORWARD (or INPUT/OUTPUT) arrives in
NFQUEUE it should be fine.
--
Andreas Herz
More information about the Oisf-users
mailing list