[Oisf-users] Can I run IPS inline with the AF_Packet mode?
Albert.Whale at IT-Security-inc.com
Albert.Whale at IT-Security-inc.com
Sun Mar 11 17:18:31 UTC 2018
I am having serious doubts of NFQUEUE supporting the IPS design I have
been following. WHile I can get Suricata running and scanning
information, the only information that I can see in the fast.log are for
packets which as destined to this host (i.e. the LOCALHOST, or the IP
ADDRESS).
I had AF_PACKET mode scanning and detecting Multiple issues a minute. I
was thinking that this is ONLY IDS Mode. True or not?
I read the following in the Suricata.YAML which seems to indicate that
Suricata can be running af-packet and IPS inline?
# You can use the following variables to activate AF_PACKET tap or
IPS mode.
# If copy-mode is set to ips or tap, the traffic coming to the current
# interface will be copied to the copy-iface interface. If 'tap' is
set, the
# copy is complete. If 'ips' is set, the packet matching a 'drop'
action
# will not be copied.
copy-mode: ips
Suggestions?
More information about the Oisf-users
mailing list