[Oisf-users] NETMAP guide - suricata.yaml

elof2 at sentor.se elof2 at sentor.se
Thu Apr 7 13:56:17 UTC 2016 

On Thu, 7 Apr 2016, Oliver Humpage wrote:
>> On 7 Apr 2016, at 14:12, elof2 at sentor.se wrote:
>>> netmap:
>>>   # To specify OS endpoint add plus sign at the end (e.g. "eth0+")
>>> - interface: ix1
>> What is the actual difference between specifying "ix1" or "ix1+"?
> When netmap gets a packet it has to shunt it somewhere after suricata is done inspecting it. Where it sends it is the copy-interface. If your box only has 2 ports (ext and int) then that’s easy, you set:
> interface: ext
> copy-iface: int
> and for packets the other way
> interface: int
> copy-iface: ext
> Lovely. However, if you have more than one internal interface, or if you want to do other things with the packets, then you don’t want to send them straight out of the box: you want them to appear like they’ve just come into the interface, as if netmap isn’t there at all. For this, you use the “+” interface. Eg

Thanks.

> interface: ext
> copy-iface: ext+
> will let suricata inspect packets coming into your network, but then let pf/routing tables/etc get hold of the packet as if it had just appeared at the ext interface.
> Obviously you need the return rule to capture both sides of any network conversation:
> interface: ext+
> copy-iface: ext
> This will grab any packets heading out of ext and netmap them into suricata. When suricata’s done, it’ll send them on their way out of ext.

Yep.

>> "If copy-mode is set to ips or tap" it says.
>> Are there any other copy-modes?
> No - you can either *always* pass the packet no matter what rules it matches (tap), or block the packet if it matches a block rule (ips).

Then I think the example text in suricata.yaml is confusing and should be 
updated to: "copy-mode can be set to ips or tap"


>> In IDS mode, do we even need to specify any copy-interface?
> Yes, because netmap has given the packet to suricata. It’s not a copy, it’s the real packet. So suricata has to send it on its way.

Do suricata really *have* to send the packet after processing?
Wouldn't it save some cpu cycles if suricata could be configured 
*not* to send the packet further, when running in IDS mode?

/Elof

More information about the Oisf-users mailing list