af-packet: force suricata in IPS mode when needed #1131
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AF_PACKET is not setting the engine mode to IPS when some interfaces are peered and use IPS mode. This is due to the fact, it is possible to peer 2 interfaces and run an IPS on them and have a third one that is running in normal IDS mode. In fact this choice is the bad one as unwanted side effect is that there is no drop log and that stream inline is not used. To fix that, this patch puts suricata in IPS mode as soon as there is two interfaces in IPS mode. And it displays a error message to warn user that the accuracy of detection on IDS only interfaces will be low.
|
Merged after rebase and with minor changes. |
ndenev
pushed a commit
to ndenev/suricata
that referenced
this pull request
Feb 5, 2015
When UA or Host are unknown, print <unknown> instead of <useragent unknown> or <hostname unknown>. Bug OISF#1131.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
AF_PACKET is not setting the engine mode to IPS when some
interfaces are peered and use IPS mode. This is due to the
fact, it is possible to peer 2 interfaces and run an IPS on
them and have a third one that is running in normal IDS mode.
In fact this choice is the bad one as unwanted side effect is
that there is no drop log and that stream inline is not used.
To fix that, this patch puts suricata in IPS mode as soon as
there is two interfaces in IPS mode. And it displays a error
message to warn user that the accuracy of detection on IDS only
interfaces will be low.
Cherry-pick of commit of #1130