[Oisf-users] NETMAP guide - suricata.yaml

[Oliver Humpage]

> On 7 Apr 2016, at 14:12, elof2 at sentor.se wrote:
> 
> 
>> netmap:
>>   # To specify OS endpoint add plus sign at the end (e.g. "eth0+")
>> - interface: ix1
> 
> What is the actual difference between specifying "ix1" or "ix1+"?
> With "ix1", the *physical* RX packets to ix1 are captured, while "ix1+" rather captures them from the kernel tcp/ip-stack?

When netmap gets a packet it has to shunt it somewhere after suricata is done inspecting it. Where it sends it is the copy-interface. If your box only has 2 ports (ext and int) then that’s easy, you set:

interface: ext
copy-iface: int

and for packets the other way

interface: int
copy-iface: ext


Lovely. However, if you have more than one internal interface, or if you want to do other things with the packets, then you don’t want to send them straight out of the box: you want them to appear like they’ve just come into the interface, as if netmap isn’t there at all. For this, you use the “+” interface. Eg

interface: ext
copy-iface: ext+

will let suricata inspect packets coming into your network, but then let pf/routing tables/etc get hold of the packet as if it had just appeared at the ext interface.

Obviously you need the return rule to capture both sides of any network conversation:

interface: ext+
copy-iface: ext

This will grab any packets heading out of ext and netmap them into suricata. When suricata’s done, it’ll send them on their way out of ext.

> "If copy-mode is set to ips or tap" it says.
> Are there any other copy-modes?

No - you can either *always* pass the packet no matter what rules it matches (tap), or block the packet if it matches a block rule (ips).

> In IDS mode, do we even need to specify any copy-interface?

Yes, because netmap has given the packet to suricata. It’s not a copy, it’s the real packet. So suricata has to send it on its way.

That’s about as many of your questions as I feel qualified to answer :)

Oliver.