[Oisf-users] fail2ban integration
Marios Spinthiras
m at spinthiras.com
Mon May 6 10:07:38 UTC 2019
The solution strictly calls to be run in AF_PACKET IDS mode. That's
actually a deployment restriction and wouldn't make sense on an endpoint
system anyway.
On a different setup, your proposal would have worked well for me. If I
had to run it in an in-line setup, I'd go for NFQUEUE over AF_PACKET
in-line.
--
Regards,
Marios Spinthiras
On 5/6/2019 5:41 AM, David Wharton wrote:
>
> On 5/4/19 7:15 AM, Marios Spinthiras wrote:
>> I've had a number of deployments recently which restricted the use of
>> NFQUEUE for IPS. I did however want IPS capabilities but didn't want
>> to change from AF_PACKET.
>
> Why not run AF_PACKET inline? It has been an option for more than six
> years; see
> https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/. I
> haven't messed around with it much but I did set it up not too long
> ago and it seemed to work fine.
>
> -David
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
More information about the Oisf-users
mailing list