[Oisf-users] Not running inline
David Woodfall
dave at dawoodfall.net
Tue Oct 3 14:22:23 UTC 2017
OK. Thanks Amar.
>Hello David
>
>The quick answer is 'No', its not running in parallel with iptables. In online(IDS) mode they can be used together but to do their own tasks; Suricata to sniff all of the data from a SPAN/Mirror port etc and iptables to deal with any firewalling needs you may have. But, iptables will merely be controlling access to the system its running on as opposed to through it. You would physical deploy the system Online...like a port sniffer. You do not need iptables.
>
>On the other hand when using Suricata in inline mode with iptables or more precisely NFQUEUE https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/ you tell iptables to send the traffic to a nfQUEUE that Suricata is listening to and Suricata then makes the decision based on your IPS rule set to deal with a packet appropriately. Effectively, the traffic flows from one end--iptables--suricata--the other end. You would physically deploy the system Inline like a firewall.
>
>Actually when Inline you could regard the usage of iptables and iptables/Suricata as parallel. Because you could get iptables to pass or block certain traffic and use iptables/Suricata to inspect the remainder.
>
>Hope that helps.
>
>Amar
>
>On October 2, 2017 at 8:32 PM David Woodfall wrote:
>
>
>I have been reading up about running Suricata inline with iptables. My
>question is, what does the topology look like if it isn't running
>inline? Is it running in parallel with iptables, or is it more
>complex?
>
>-Dave
More information about the Oisf-users
mailing list