<div dir="ltr">Yes you are right, but af_packet's performance is better than nfqueue</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Amar Rathore - CounterSnipe Systems <<a href="mailto:amar@countersnipe.com">amar@countersnipe.com</a>> 于2019年11月20日周三 下午11:43写道:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><u></u>
<div>
<div style="color:rgb(0,0,128);font-family:arial,helvetica,sans-serif;font-size:12pt">
Why not use suri with iptables instead. I have successfully achieved IPS with a single interface on an EC2 AWS server using iptables.It even allows you to discard all else but is allowed. Then push allowed to Suri.
</div>
<div style="color:rgb(0,0,128);font-family:arial,helvetica,sans-serif;font-size:12pt">
<br>
</div>
<div style="color:rgb(0,0,128);font-family:arial,helvetica,sans-serif;font-size:12pt">
Especially in this case you will be able to manage it much better.
</div>
<div style="color:rgb(0,0,128);font-family:arial,helvetica,sans-serif;font-size:12pt">
<br>
</div>
<div style="color:rgb(0,0,128);font-family:arial,helvetica,sans-serif;font-size:12pt">
Amar
</div>
<blockquote type="cite">
<div>
On November 20, 2019 at 9:48 AM Peter Manev <
<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>> wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
On Thu, Nov 14, 2019 at 9:34 AM Dihin LIN <
<a href="mailto:linzx11@gmail.com" target="_blank">linzx11@gmail.com</a>> wrote:
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
Thanks peter,
</div>
<div>
in your example just two nics, but in my scenrio there are three more nics in my suricata server.
</div>
<div>
How to copy one interface to another face?
</div>
<div>
eth0-eth1
</div>
<div>
eth0-eth2
</div>
<div>
eth1-eth0
</div>
<div>
eth1-eth2
</div>
<div>
eth2-eth0
</div>
<div>
eth2-eth1 like this?
</div>
<div>
<br>
</div>
</blockquote>
<div>
<br>
</div>
<div>
Sorry for the late replay.
</div>
<div>
I actually have not tried something similar in AWS/cloud - not sure if
</div>
<div>
it will work.
</div>
<div>
So basically eth0 can send/route packets on both eth1 and eth2 and
</div>
<div>
vice versa right ?
</div>
<div>
Maybe you can configure just one interface and let the routing do its
</div>
<div>
job after words?
</div>
<div>
<br>
</div>
<blockquote type="cite">
<div>
Peter Manev <
<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>> 于2019年11月11日周一 下午4:53写道:
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
On Thu, Oct 24, 2019 at 3:06 PM Dihin LIN <
<a href="mailto:linzx11@gmail.com" target="_blank">linzx11@gmail.com</a>> wrote:
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
I want to deploy suricata as IPS in my vpc,
</div>
<div>
There are multiple network interfaces in my CVM, This CVM as a router between several vpcs,
</div>
<div>
so this CVM will forward other vpc's traffic.
</div>
<div>
For example i have eth0, eth1, eth2 three nics
</div>
<div>
How to configure the af_packet ips?
</div>
<div>
<br>
</div>
</blockquote>
<div>
<br>
</div>
<div>
make sure you use AFPv2 and you could try like described here
</div>
<div>
-
<a href="https://suricata.readthedocs.io/en/latest/setting-up-ipsinline-for-linux.html#af-packet-ips-mode" rel="noopener" target="_blank">https://suricata.readthedocs.io/en/latest/setting-up-ipsinline-for-linux.html#af-packet-ips-mode</a>
</div>
<div>
(here is an example below as well):
</div>
<div>
<br>
</div>
<div>
af-packet:
</div>
<div>
- interface: enp1s0f0
</div>
<div>
threads: 4 # or a number that is below half the number of cores available
</div>
<div>
defrag: no
</div>
<div>
cluster-type: cluster_flow
</div>
<div>
cluster-id: 98
</div>
<div>
copy-mode: ips
</div>
<div>
copy-iface: enp1s0f1
</div>
<div>
tpacket-v3: no
</div>
<div>
ring-size: 2048
</div>
<div>
use-mmap: yes
</div>
<div>
<br>
</div>
<div>
- interface: enp1s0f1
</div>
<div>
threads: 4 # or a number that is below half the number of cores available
</div>
<div>
cluster-id: 97
</div>
<div>
defrag: no
</div>
<div>
cluster-type: cluster_flow
</div>
<div>
copy-mode: ips
</div>
<div>
copy-iface: enp1s0f0
</div>
<div>
tpacket-v3: no
</div>
<div>
ring-size: 2048
</div>
<div>
use-mmap: yes
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
af-packet:
</div>
<div>
- interface: eth0
</div>
<div>
threads: auto
</div>
<div>
defrag: yes
</div>
<div>
cluster-type: cluster_flow
</div>
<div>
cluster-id: 99
</div>
<div>
copy-mode: ips
</div>
<div>
copy-iface: eth1
</div>
<div>
buffer-size: 64535
</div>
<div>
use-mmap: yes
</div>
<div>
<br>
</div>
<div>
- interface: eth0
</div>
<div>
threads: auto
</div>
<div>
defrag: yes
</div>
<div>
cluster-type: cluster_flow
</div>
<div>
cluster-id: 98
</div>
<div>
copy-mode: ips
</div>
<div>
copy-iface: eth2
</div>
<div>
buffer-size: 64535
</div>
<div>
use-mmap: yes
</div>
<div>
<br>
</div>
<div>
- interface: eth1
</div>
<div>
threads: auto
</div>
<div>
cluster-id: 97
</div>
<div>
defrag: yes
</div>
<div>
cluster-type: cluster_flow
</div>
<div>
copy-mode: ips
</div>
<div>
copy-iface: eth0
</div>
<div>
buffer-size: 64535
</div>
<div>
use-mmap: yes
</div>
<div>
<br>
</div>
<div>
- interface: eth1
</div>
<div>
threads: auto
</div>
<div>
cluster-id: 96
</div>
<div>
defrag: yes
</div>
<div>
cluster-type: cluster_flow
</div>
<div>
copy-mode: ips
</div>
<div>
copy-iface: eth2
</div>
<div>
buffer-size: 64535
</div>
<div>
use-mmap: yes
</div>
<div>
<br>
</div>
<div>
- interface: eth2
</div>
<div>
threads: auto
</div>
<div>
cluster-id: 95
</div>
<div>
defrag: yes
</div>
<div>
cluster-type: cluster_flow
</div>
<div>
copy-mode: ips
</div>
<div>
copy-iface: eth0
</div>
<div>
buffer-size: 64535
</div>
<div>
use-mmap: yes
</div>
<div>
<br>
</div>
<div>
- interface: eth2
</div>
<div>
threads: auto
</div>
<div>
cluster-id: 94
</div>
<div>
defrag: yes
</div>
<div>
cluster-type: cluster_flow
</div>
<div>
copy-mode: ips
</div>
<div>
copy-iface: eth1
</div>
<div>
buffer-size: 64535
</div>
<div>
use-mmap: yes
</div>
<div>
_______________________________________________
</div>
<div>
Suricata IDS Users mailing list:
<a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a>
</div>
<div>
Site:
<a href="http://suricata-ids.org" rel="noopener" target="_blank">http://suricata-ids.org</a> | Support:
<a href="http://suricata-ids.org/support/" rel="noopener" target="_blank">http://suricata-ids.org/support/</a>
</div>
<div>
List:
<a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noopener" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
</div>
<div>
<br>
</div>
<div>
Conference:
<a href="https://suricon.net" rel="noopener" target="_blank">https://suricon.net</a>
</div>
<div>
Trainings:
<a href="https://suricata-ids.org/training/" rel="noopener" target="_blank">https://suricata-ids.org/training/</a>
</div>
</blockquote>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
--
</div>
<div>
Regards,
</div>
<div>
Peter Manev
</div>
</blockquote>
</blockquote>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
--
</div>
<div>
Regards,
</div>
<div>
Peter Manev
</div>
<div>
_______________________________________________
</div>
<div>
Suricata IDS Users mailing list:
<a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a>
</div>
<div>
Site:
<a href="http://suricata-ids.org" rel="noopener" target="_blank">http://suricata-ids.org</a> | Support:
<a href="http://suricata-ids.org/support/" rel="noopener" target="_blank">http://suricata-ids.org/support/</a>
</div>
<div>
List:
<a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noopener" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
</div>
<div>
<br>
</div>
<div>
Conference:
<a href="https://suricon.net" rel="noopener" target="_blank">https://suricon.net</a>
</div>
<div>
Trainings:
<a href="https://suricata-ids.org/training/" rel="noopener" target="_blank">https://suricata-ids.org/training/</a>
</div>
</blockquote>
<div>
<br>
</div>
<div>
<div style="font-size:12pt;font-family:arial,helvetica,sans-serif;color:rgb(0,0,128)">
<div>
Kind regards
<br>
<br>
</div>
<div>
Amar Rathore
<br>
</div>
<div>
Tel: +1 617 765 0633 -
<span style="color:rgb(255,0,0)">PLEASE NOTE CHANGED TELEPHONE NUMBER</span>
<br>Mobile: +91 8800 596506
</div>
<div>
<br>
</div>
</div>
</div>
</div>
</blockquote></div>