[Oisf-users] Suricata IPS AF_packet mode
Eric Leblond
eric at regit.org
Sat Mar 9 17:02:27 UTC 2019
Hello,
On Sat, 2019-03-09 at 11:30 -0500, Albert E. Whale, CEH CHS CISA CISSP
wrote:
> Just trying to get Clarity on this issue.
> https://docs.mirantis.com/mcp/q4-18/mcp-security-best-practices/use-cases/idps-vnf/ips-mode/afpacket.html
> This is in the read use case document:
> To enable IPS mode using the ``AF_PACKET`` Linux bridge:
>
> Does this mean that I can use the br0 interface?
No.
>
> Or do I need to specify an instance for each of the interfaces in the
> bridge as Interface: and copy-iface: configuration items?
>
> brctl show
> bridge name bridge id STP enabled interfaces
> br0 8000.6805ca842147 no enp1s0
>
> enp4s0
enp1s0 and enp3s0 are the interface to peer.
> I'm not sure if I can use the bridge to intercept bidirectional
> traffic, or if I need a single listener for each inbound and outbound
> traffic.
Bridge will relay in kernel without given Suricata an option to drop
the packets...
>
> Thank you.
> --
> --
> --
>
> Albert E. Whale Email: Albert.Whale at IT-Security-inc.com
> Cell: 412-889-6870
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
More information about the Oisf-users
mailing list