[Oisf-users] Reg: [oisf-users] Can i use a bridge and ethernet interface as two different interfaces in af-packet IPS?
Victor Julien
lists at inliniac.net
Wed Nov 28 09:37:26 UTC 2018
On 14-11-18 15:47, Cloherty, Sean E wrote:
> I’m working through some similar issues questions as well. On my test
> network I want the traffic flow like this:
>
>
>
> Internet router -> TAP -> Suricata eth0 -> Suricata eth1 -> QRadar
> monitor port.
>
>
>
> I only want the traffic to flow in that one direction. Do I need to
> include an af-packet entry for both eth0 and eth1 and have each point to
> the other as a copy interface or will all the traffic egress from eth1
> without that if I use the single af-packet entry Victor has below?
AFAICS this is not supported by the suricata bridge modes. I guess you
could just set it up like normal. Perhaps its possible to disable the
eth1 iface promisc mode. But would the QRadar port even send out
packets? If not, there should be no issue?
> In that scenario – do I want it to run in IPS or tap mode? I’d like to
> avoid the need to configure NFQueue or IPTABLES. Some posts I’ve read
> including the Eric’s which is frequently referenced seem to indicate
> that tap mode will setup a transparent bridge between the two interfaces
> and no kernel level bridge nor iptables changes were needed.
Depends on your need. In tap mode it won't drop/block packets, in ips
mode it might depending on rules and some other settings.
> Last question - do you need to specifically add ‘tpacket-v3: no’ if
> using mmap or run into latency issues noted in the Suricata.yaml?
Not sure. But in your specific use case the added latency by v3 might
not be a problem?
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list