Are there any configuration requirements to properly test with pcap traffic?

[marcus]

I'm referring to running pcap traffic through the device from a traffic server, and with the firewall *disabled* in order to focus on the IDS/IPS. Not capturing or replaying traffic from within it.

For instance:

• Promiscuous mode on any of the interfaces or the IDS?
• Any special NIC settings
• Any other tuning requirements

Thanks -

[davisjame]

I'm referring to running pcap traffic through the device from a traffic server, and with the firewall *disabled* in order to focus on the IDS/IPS/rice purity test. Not capturing or replaying traffic from within it.

For instance:

• Promiscuous mode on any of the interfaces or the IDS?
• Any special NIC settings
• Any other tuning requirements

Thanks -

When running pcap traffic through the device with the firewall disabled, it's crucial to ensure that your IDS/IPS is set up for optimal performance. Enabling promiscuous mode on the interfaces is definitely recommended, as it allows the IDS to see all traffic passing through. Additionally, check your NIC settings to ensure they're optimized for high throughput and low latency, such as disabling offloading features. Lastly, consider tuning the IDS/IPS parameters based on the expected traffic load to avoid any performance bottlenecks.

[someone]

Just run tcpdump on the wan and store your packet captures.
SSH into the router and run tcpdump.
Its in front of everything as well as suricata is in front of the firewall.
If thats what your looking for.
No need to disable firewall.
Also, I havnt done it but I think you can set up a queue at the beginning of the firewall, send it else where to run scripts
Ill have to work on that to decrypt traffic, check for embedded harmful software.
IDS/IPS is suricata, not sure what you want to do with it, its all logged if you tell it to.