
<div dir="ltr">Thanks peter,<div>in your example just two nics, but in my scenrio there are three more nics in my suricata server.</div><div>How to copy one interface to another face? </div><div>eth0-eth1</div><div>eth0-eth2</div><div>eth1-eth0</div><div>eth1-eth2 <br></div><div>eth2-eth0  </div><div>


eth2-eth1    like this?<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Peter Manev <<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>> 于2019年11月11日周一 下午4:53写道：<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Thu, Oct 24, 2019 at 3:06 PM Dihin LIN <<a href="mailto:linzx11@gmail.com" target="_blank">linzx11@gmail.com</a>> wrote:<br>

><br>

> I want to deploy suricata as IPS in my vpc,<br>

> There are multiple network interfaces in my CVM, This CVM as a router between several vpcs,<br>

> so this CVM will forward other vpc's traffic.<br>

> For example i have eth0, eth1, eth2 three nics<br>

> How to configure the af_packet ips?<br>

><br>

<br>

make sure you use AFPv2 and you could try like described here<br>

-<a href="https://suricata.readthedocs.io/en/latest/setting-up-ipsinline-for-linux.html#af-packet-ips-mode" rel="noreferrer" target="_blank">https://suricata.readthedocs.io/en/latest/setting-up-ipsinline-for-linux.html#af-packet-ips-mode</a><br>

(here is an example below as well):<br>

<br>

af-packet:<br>

 - interface: enp1s0f0<br>

   threads: 4 # or a number that is below half the number of cores available<br>

   defrag: no<br>

   cluster-type: cluster_flow<br>

   cluster-id: 98<br>

   copy-mode: ips<br>

   copy-iface: enp1s0f1<br>

   tpacket-v3: no<br>

   ring-size: 2048<br>

   use-mmap: yes<br>

<br>

 - interface: enp1s0f1<br>

   threads: 4 # or a number that is below half the number of cores available<br>

   cluster-id: 97<br>

   defrag: no<br>

   cluster-type: cluster_flow<br>

   copy-mode: ips<br>

   copy-iface: enp1s0f0<br>

   tpacket-v3: no<br>

   ring-size: 2048<br>

   use-mmap: yes<br>

<br>

<br>

<br>

<br>

><br>

>  af-packet:<br>

> - interface: eth0<br>

> threads: auto<br>

> defrag: yes<br>

> cluster-type: cluster_flow<br>

> cluster-id: 99<br>

> copy-mode: ips<br>

> copy-iface: eth1<br>

> buffer-size: 64535<br>

> use-mmap: yes<br>

><br>

> - interface: eth0<br>

> threads: auto<br>

> defrag: yes<br>

> cluster-type: cluster_flow<br>

> cluster-id: 98<br>

> copy-mode: ips<br>

> copy-iface: eth2<br>

> buffer-size: 64535<br>

> use-mmap: yes<br>

><br>

> - interface: eth1<br>

> threads: auto<br>

> cluster-id: 97<br>

> defrag: yes<br>

> cluster-type: cluster_flow<br>

> copy-mode: ips<br>

> copy-iface: eth0<br>

> buffer-size: 64535<br>

> use-mmap: yes<br>

><br>

> - interface: eth1<br>

> threads: auto<br>

> cluster-id: 96<br>

> defrag: yes<br>

> cluster-type: cluster_flow<br>

> copy-mode: ips<br>

> copy-iface: eth2<br>

> buffer-size: 64535<br>

> use-mmap: yes<br>

><br>

> - interface: eth2<br>

> threads: auto<br>

> cluster-id: 95<br>

> defrag: yes<br>

> cluster-type: cluster_flow<br>

> copy-mode: ips<br>

> copy-iface: eth0<br>

> buffer-size: 64535<br>

> use-mmap: yes<br>

><br>

> - interface: eth2<br>

> threads: auto<br>

> cluster-id: 94<br>

> defrag: yes<br>

> cluster-type: cluster_flow<br>

> copy-mode: ips<br>

> copy-iface: eth1<br>

> buffer-size: 64535<br>

> use-mmap: yes<br>

> _______________________________________________<br>

> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>

> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>

> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

><br>

> Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>

> Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a><br>

<br>

<br>

<br>

-- <br>

Regards,<br>

Peter Manev<br>

</blockquote></div>