[Oisf-users] Reg: [oisf-users] Can i use a bridge and ethernet interface as two different interfaces in af-packet IPS?

Cloherty, Sean E scloherty at mitre.org
Wed Nov 14 14:47:17 UTC 2018 

I’m working through some similar issues  questions as well.  On my test network I want the traffic flow like this:

Internet router -> TAP -> Suricata eth0 -> Suricata eth1 -> QRadar monitor port.

I only want the traffic to flow in that one direction.  Do I need to include an af-packet entry for both eth0 and eth1 and have each point to the other as a copy interface or will all the traffic egress from eth1 without that if I use the single af-packet entry Victor has below?

In that scenario – do I want it to run in IPS or tap mode?  I’d like to avoid the need to configure NFQueue or IPTABLES.  Some posts I’ve read including the Eric’s which is frequently referenced seem to indicate that tap mode will setup a transparent bridge between the two interfaces and no kernel level bridge nor iptables changes were needed.

Last question - do you need to specifically add ‘tpacket-v3: no’ if using mmap or run into latency issues noted in the Suricata.yaml?

Thanks,

Sean

From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> On Behalf Of kavi perumal
Sent: Thursday, November 8, 2018 6:12 AM
To: lists at inliniac.net
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Reg: [oisf-users] Can i use a bridge and ethernet interface as two different interfaces in af-packet IPS?

Hi Victor Julien,

I am able to run suricata in af-packet tap mode, between two physical interfaces say eth0 and eth1 where there is no linux bridge involved (basic inline mode).

 suricata.yaml:
  - interface: eth0
     threads: 1
     defrag: ye
     cluster-id: 98
     copy-mode: ips
     copy-iface: eth1
     use-mmap: yes

Regards
-Kavi Perumal G.

On Thu, Nov 8, 2018 at 4:37 PM Victor Julien <lists at inliniac.net<mailto:lists at inliniac.net>> wrote:
On 08-11-18 10:35, kavi perumal wrote:
> A very basic clarification w.r.t suricata IDS/IPS af-packet mode.
> i want to run suricata in IPS --af-packet mode, but would like to use a
> physical interface (eth0) and a bridge(br0) as a pair, where as eth0 is
> not part of the bridge (br0).
>
> suricata.yaml:
>  - interface: eth0
>     threads: 1
>     defrag: yes
>     cluster-id: 98
>     copy-mode: ips
>     copy-iface: br0
>     use-mmap: yes
>

I wonder if the problem is that you're creating a Suricata bridge that
includes a kernel level bridge. Are you able to get it working w/o using
a br0 but instead a real interface?

--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181114/7d9fd0bc/attachment.html>

More information about the Oisf-users mailing list