[Oisf-users] Suricata IPS AF_packet mode

Albert Whale Albert.Whale at IT-Security-inc.com
Mon Jun 17 18:05:11 UTC 2019 

In this mode, IPS w/AF_packet, will I be using the INPUT/OUTPUT chains, 
or continue to use the FORWARD chain for the IPS?

The document - 
https://suricata.readthedocs.io/en/latest/setting-up-ipsinline-for-linux.html

references the NFQUEUE Mode, and also utilizes only the FORWARD chain.

Thank you.

On 3/9/19 2:38 PM, Eric Leblond wrote:
> Bonjour,
>
> On Sat, 2019-03-09 at 13:46 -0500, Albert E. Whale, CEH CHS CISA CISSP
> wrote:
>> Thank you for the response Eric.  two additional questions for
>> clarity.
>>
>> 1. If I am not using br0, should I still create it?
> Excuse my French but this sentence from the documentation you did give
> url from appears clear to me:
> 'AF_PACKET establishes a software bridge between two interfaces by
> copying packet from one interface to another (and reverse).'
>
> It is a software bridge down by Suricata so you don't need a bridge at
> kernel level.
>
>> 2. If I am using the two interfaces of the bridge, do I need to run
>> a
>> deamon from enp1s0 -> enp4s0 and also from enp4s0 -> enp1s0?
> If you sniff in the 2 interfaces in the Suricata instance and peer them
> then you will have copy from one iface to the other one.
>
>>
>> I am hearing that AF_Packet is faster than NFQueue, there just
>> doesn't
>> seem to be sufficient documentation to clear my questions.
> On this side, once your setup is working. Feel free to propose some
> explanation in the official documentation. The userguide is really
> simple to enhance as you just need to write some restructured text and
> do a Pull request on github.
>
> BR,
>
>
>> Thank you for your responses.
>>
>>
>> On 3/9/19 12:02 PM, Eric Leblond wrote:
>>> Hello,
>>>
>>> On Sat, 2019-03-09 at 11:30 -0500, Albert E. Whale, CEH CHS CISA
>>> CISSP
>>> wrote:
>>>> Just trying to get Clarity on this issue.
>>>> https://docs.mirantis.com/mcp/q4-18/mcp-security-best-practices/use-cases/idps-vnf/ips-mode/afpacket.html
>>>> This is in the read use case document:
>>>> To enable IPS mode using the ``AF_PACKET`` Linux bridge:
>>>>
>>>> Does this mean that I can use the br0 interface?
>>> No.
>>>
>>>> Or do I need to specify an instance for each of the interfaces in
>>>> the
>>>> bridge as Interface: and copy-iface: configuration items?
>>>>
>>>> brctl show
>>>> bridge name    bridge id                    STP
>>>> enabled    interfaces
>>>> br0                8000.6805ca842147    no                    enp
>>>> 1s0
>>>>                                                                   
>>>>     
>>>>                 enp4s0
>>> enp1s0 and enp3s0 are the interface to peer.
>>>
>>>> I'm not sure if I can use the bridge to intercept bidirectional
>>>> traffic, or if I need a single listener for each inbound and
>>>> outbound
>>>> traffic.
>>> Bridge will relay in kernel without given Suricata an option to
>>> drop
>>> the packets...
>>>
>>>> Thank you.
>>>> -- 
>>>> -- 
>>>> --
>>>>
>>>> Albert E. Whale Email: Albert.Whale at IT-Security-inc.com
>>>> Cell: 412-889-6870
>>>>
>>>> _______________________________________________
>>>> Suricata IDS Users mailing list:
>>>> oisf-users at openinfosecfoundation.org
>>>> Site: http://suricata-ids.org | Support:
>>>> http://suricata-ids.org/support/
>>>> List:
>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>
>>>> Conference: https://suricon.net
>>>> Trainings: https://suricata-ids.org/training/
>> --

More information about the Oisf-users mailing list