[Oisf-users] Not running inline

Amar Rathore - CounterSnipe Systems amar at countersnipe.com
Tue Oct 3 11:06:08 UTC 2017

Hello David

The quick answer is 'No', its not running in parallel with iptables. In online(IDS) mode they can be used together but to do their own tasks; Suricata to sniff all of the data from a SPAN/Mirror port etc and iptables to deal with any firewalling needs you may have. But, iptables will merely be controlling access to the system its running on as opposed to through it. You would physical deploy the system Online...like a port sniffer. You do not need iptables.

On the other hand when using Suricata in inline mode with iptables or more precisely NFQUEUE https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/ you tell iptables to send the traffic to a nfQUEUE that Suricata is listening to and Suricata then makes the decision based on your IPS rule set to deal with a packet appropriately. Effectively, the traffic flows from one end--iptables--suricata--the other end. You would physically deploy the system Inline like a firewall.

Actually when Inline you could regard the usage of iptables and iptables/Suricata as parallel. Because you could get iptables to pass or block certain traffic and use iptables/Suricata to inspect the remainder.

Hope that helps.


On October 2, 2017 at 8:32 PM David Woodfall wrote:

I have been reading up about running Suricata inline with iptables. My
question is, what does the topology look like if it isn't running
inline? Is it running in parallel with iptables, or is it more

Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org mailto:oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/

Kind regards

Amar Rathore

CounterSnipe Systems LLC
Tel: +1 617 701 7213
Mobile: +44 (0) 7876 233333
Skype ID: amarrathore
Web: www.countersnipe.com <http://www.countersnipe.com/>

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171003/634219fc/attachment-0002.html>

More information about the Oisf-users mailing list