[Oisf-users] fail2ban integration

Marios Spinthiras m at spinthiras.com
Mon May 6 10:07:38 UTC 2019

The solution strictly calls to be run in AF_PACKET IDS mode. That's 
actually a deployment restriction and wouldn't make sense on an endpoint 
system anyway.

On a different setup, your proposal would have worked well for me. If I 
had to run it in an in-line setup, I'd go for NFQUEUE over AF_PACKET 

Marios Spinthiras

On 5/6/2019 5:41 AM, David Wharton wrote:
> On 5/4/19 7:15 AM, Marios Spinthiras wrote:
>> I've had a number of deployments recently which restricted the use of 
>> NFQUEUE for IPS. I did however want IPS capabilities but didn't want 
>> to change from AF_PACKET. 
> Why not run AF_PACKET inline?  It has been an option for more than six 
> years; see 
> https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/. I 
> haven't messed around with it much but I did set it up not too long 
> ago and it seemed to work fine.
> -David
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/

More information about the Oisf-users mailing list