[Oisf-users] suricata setup with a passive tap

Duarte Silva duarte.silva at serializing.me
Tue Mar 19 18:09:31 UTC 2013 

On Tuesday 19 March 2013 17:13:04 Victor Julien wrote:
> On 03/19/2013 02:28 PM, David wrote:
> > I have a question I couldn't find in the archives and I'm hoping it's not
> > silly, heh.
> > 
> > I built a passive tap (see below for details) to monitor the traffic
> > coming and going from the internet (cable modem) to my router (Apple
> > Airport Extreme).  The tap is setup so that the traffic gets copied to an
> > internal server (batista) where suricata monitors and alerts, strictly
> > being used as an IDS for now.   Basically, here's my traffic flow:
> > 
> > 
> > Internet -> batista:eth2 -> Airport Extreme
> > Airport Extreme  -> batista:eth1 -> Internet
> > 
> > Suricata HOME_NET:
> > HOME_NET: "[192.168.0.0/24,xx.xx.xx.xx]"  <- xx = my external IP
> > 
> > I have suricata setup to listen on both interfaces on batista:
> > 
> > af-packet:
> >   - interface: eth1
> >   
> >     threads: 1
> >     cluster-id: 99
> >     cluster-type: cluster_flow
> >     defrag: yes
> >     use-mmap: yes
> >   
> >   - interface: eth2
> >   
> >     threads: 1
> >     cluster-id: 98
> >     cluster-type: cluster_flow
> >     defrag: yes

Add the use-mmap property to the eth2 interface configuration, I thing it is 
also needed in order for memory mapping to be used (per interface setting).

> > 
> > So, my question is:  Is this the right kind of setup for suricata to
> > monitor traffic with a passive tap?  I have the ET rules setup and
> > working, I get alerts in my log files and everything *seems* good.  I
> > just want to make sure I'm using suricata correctly (setup and config)
> > before I start asking my next questions.
> > 
> > passive tap:
> > http://www.yourwarrantyisvoid.com/2011/04/06/homeland-security-build-a-pa
> > ssive-ethernet-tap/

One thing I think they don't explain is that this kind of tap only works well 
for 100Mbps networks, for Gigabit either it is able to downgrades the 
connection so that the negotiation occurs at 100Mbps or you will have packet 
loss depending on the amount of traffic. This will only matter if you are using 
a Gibabit network.

> > 
> > The reason I'm using a passive tap is I don't want my IDS box to be a
> > point of failure.  If the server goes down, I want traffic to still flow.
> Looks good to me.

More information about the Oisf-users mailing list