<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div style="color: #000080; font-family: arial,helvetica,sans-serif; font-size: 12pt;">
Why not use suri with iptables instead. I have successfully achieved IPS with a single interface on an EC2 AWS server using iptables.It even allows you to discard all else but is allowed. Then push allowed to Suri.
</div>
<div style="color: #000080; font-family: arial,helvetica,sans-serif; font-size: 12pt;">
<br>
</div>
<div style="color: #000080; font-family: arial,helvetica,sans-serif; font-size: 12pt;">
Especially in this case you will be able to manage it much better.
</div>
<div style="color: #000080; font-family: arial,helvetica,sans-serif; font-size: 12pt;">
<br>
</div>
<div style="color: #000080; font-family: arial,helvetica,sans-serif; font-size: 12pt;">
Amar
</div>
<blockquote type="cite">
<div>
On November 20, 2019 at 9:48 AM Peter Manev <
<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>> wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
On Thu, Nov 14, 2019 at 9:34 AM Dihin LIN <
<a href="mailto:linzx11@gmail.com">linzx11@gmail.com</a>> wrote:
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
Thanks peter,
</div>
<div>
in your example just two nics, but in my scenrio there are three more nics in my suricata server.
</div>
<div>
How to copy one interface to another face?
</div>
<div>
eth0-eth1
</div>
<div>
eth0-eth2
</div>
<div>
eth1-eth0
</div>
<div>
eth1-eth2
</div>
<div>
eth2-eth0
</div>
<div>
eth2-eth1 like this?
</div>
<div>
<br>
</div>
</blockquote>
<div>
<br>
</div>
<div>
Sorry for the late replay.
</div>
<div>
I actually have not tried something similar in AWS/cloud - not sure if
</div>
<div>
it will work.
</div>
<div>
So basically eth0 can send/route packets on both eth1 and eth2 and
</div>
<div>
vice versa right ?
</div>
<div>
Maybe you can configure just one interface and let the routing do its
</div>
<div>
job after words?
</div>
<div>
<br>
</div>
<blockquote type="cite">
<div>
Peter Manev <
<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>> 于2019年11月11日周一 下午4:53写道:
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
On Thu, Oct 24, 2019 at 3:06 PM Dihin LIN <
<a href="mailto:linzx11@gmail.com">linzx11@gmail.com</a>> wrote:
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
I want to deploy suricata as IPS in my vpc,
</div>
<div>
There are multiple network interfaces in my CVM, This CVM as a router between several vpcs,
</div>
<div>
so this CVM will forward other vpc's traffic.
</div>
<div>
For example i have eth0, eth1, eth2 three nics
</div>
<div>
How to configure the af_packet ips?
</div>
<div>
<br>
</div>
</blockquote>
<div>
<br>
</div>
<div>
make sure you use AFPv2 and you could try like described here
</div>
<div>
-
<a href="https://suricata.readthedocs.io/en/latest/setting-up-ipsinline-for-linux.html#af-packet-ips-mode" target="_blank" rel="noopener">https://suricata.readthedocs.io/en/latest/setting-up-ipsinline-for-linux.html#af-packet-ips-mode</a>
</div>
<div>
(here is an example below as well):
</div>
<div>
<br>
</div>
<div>
af-packet:
</div>
<div>
- interface: enp1s0f0
</div>
<div>
threads: 4 # or a number that is below half the number of cores available
</div>
<div>
defrag: no
</div>
<div>
cluster-type: cluster_flow
</div>
<div>
cluster-id: 98
</div>
<div>
copy-mode: ips
</div>
<div>
copy-iface: enp1s0f1
</div>
<div>
tpacket-v3: no
</div>
<div>
ring-size: 2048
</div>
<div>
use-mmap: yes
</div>
<div>
<br>
</div>
<div>
- interface: enp1s0f1
</div>
<div>
threads: 4 # or a number that is below half the number of cores available
</div>
<div>
cluster-id: 97
</div>
<div>
defrag: no
</div>
<div>
cluster-type: cluster_flow
</div>
<div>
copy-mode: ips
</div>
<div>
copy-iface: enp1s0f0
</div>
<div>
tpacket-v3: no
</div>
<div>
ring-size: 2048
</div>
<div>
use-mmap: yes
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
af-packet:
</div>
<div>
- interface: eth0
</div>
<div>
threads: auto
</div>
<div>
defrag: yes
</div>
<div>
cluster-type: cluster_flow
</div>
<div>
cluster-id: 99
</div>
<div>
copy-mode: ips
</div>
<div>
copy-iface: eth1
</div>
<div>
buffer-size: 64535
</div>
<div>
use-mmap: yes
</div>
<div>
<br>
</div>
<div>
- interface: eth0
</div>
<div>
threads: auto
</div>
<div>
defrag: yes
</div>
<div>
cluster-type: cluster_flow
</div>
<div>
cluster-id: 98
</div>
<div>
copy-mode: ips
</div>
<div>
copy-iface: eth2
</div>
<div>
buffer-size: 64535
</div>
<div>
use-mmap: yes
</div>
<div>
<br>
</div>
<div>
- interface: eth1
</div>
<div>
threads: auto
</div>
<div>
cluster-id: 97
</div>
<div>
defrag: yes
</div>
<div>
cluster-type: cluster_flow
</div>
<div>
copy-mode: ips
</div>
<div>
copy-iface: eth0
</div>
<div>
buffer-size: 64535
</div>
<div>
use-mmap: yes
</div>
<div>
<br>
</div>
<div>
- interface: eth1
</div>
<div>
threads: auto
</div>
<div>
cluster-id: 96
</div>
<div>
defrag: yes
</div>
<div>
cluster-type: cluster_flow
</div>
<div>
copy-mode: ips
</div>
<div>
copy-iface: eth2
</div>
<div>
buffer-size: 64535
</div>
<div>
use-mmap: yes
</div>
<div>
<br>
</div>
<div>
- interface: eth2
</div>
<div>
threads: auto
</div>
<div>
cluster-id: 95
</div>
<div>
defrag: yes
</div>
<div>
cluster-type: cluster_flow
</div>
<div>
copy-mode: ips
</div>
<div>
copy-iface: eth0
</div>
<div>
buffer-size: 64535
</div>
<div>
use-mmap: yes
</div>
<div>
<br>
</div>
<div>
- interface: eth2
</div>
<div>
threads: auto
</div>
<div>
cluster-id: 94
</div>
<div>
defrag: yes
</div>
<div>
cluster-type: cluster_flow
</div>
<div>
copy-mode: ips
</div>
<div>
copy-iface: eth1
</div>
<div>
buffer-size: 64535
</div>
<div>
use-mmap: yes
</div>
<div>
_______________________________________________
</div>
<div>
Suricata IDS Users mailing list:
<a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>
</div>
<div>
Site:
<a href="http://suricata-ids.org" target="_blank" rel="noopener">http://suricata-ids.org</a> | Support:
<a href="http://suricata-ids.org/support/" target="_blank" rel="noopener">http://suricata-ids.org/support/</a>
</div>
<div>
List:
<a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank" rel="noopener">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
</div>
<div>
<br>
</div>
<div>
Conference:
<a href="https://suricon.net" target="_blank" rel="noopener">https://suricon.net</a>
</div>
<div>
Trainings:
<a href="https://suricata-ids.org/training/" target="_blank" rel="noopener">https://suricata-ids.org/training/</a>
</div>
</blockquote>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
--
</div>
<div>
Regards,
</div>
<div>
Peter Manev
</div>
</blockquote>
</blockquote>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
--
</div>
<div>
Regards,
</div>
<div>
Peter Manev
</div>
<div>
_______________________________________________
</div>
<div>
Suricata IDS Users mailing list:
<a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>
</div>
<div>
Site:
<a href="http://suricata-ids.org" target="_blank" rel="noopener">http://suricata-ids.org</a> | Support:
<a href="http://suricata-ids.org/support/" target="_blank" rel="noopener">http://suricata-ids.org/support/</a>
</div>
<div>
List:
<a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank" rel="noopener">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
</div>
<div>
<br>
</div>
<div>
Conference:
<a href="https://suricon.net" target="_blank" rel="noopener">https://suricon.net</a>
</div>
<div>
Trainings:
<a href="https://suricata-ids.org/training/" target="_blank" rel="noopener">https://suricata-ids.org/training/</a>
</div>
</blockquote>
<div>
<br>
</div>
<div class="io-ox-signature">
<div class="default-style" style="font-size: 12pt; font-family: arial, helvetica, sans-serif; color: #000080;">
<div>
Kind regards
<br>
<br>
</div>
<div>
Amar Rathore
<br>
</div>
<div>
Tel: +1 617 765 0633 -
<span style="color: #ff0000;">PLEASE NOTE CHANGED TELEPHONE NUMBER</span>
<br>Mobile: +91 8800 596506
</div>
<div>
<br>
</div>
</div>
</div>
</body>
</html>