[Oisf-users] Suricata IPS AF_packet mode

Andreas Herz aherz at oisf.net
Mon Jun 17 20:39:12 UTC 2019 

On 17/06/19 at 14:05, Albert Whale wrote:
> In this mode, IPS w/AF_packet, will I be using the INPUT/OUTPUT chains, or
> continue to use the FORWARD chain for the IPS?
> 
> The document -
> https://suricata.readthedocs.io/en/latest/setting-up-ipsinline-for-linux.html
> 
> references the NFQUEUE Mode, and also utilizes only the FORWARD chain.

In the AFPACKET IPS mode you don't go through any of the chains cause
you directly forward packets from one interface to the other and vice
versa.

> 
> Thank you.
> 
> On 3/9/19 2:38 PM, Eric Leblond wrote:
> > Bonjour,
> > 
> > On Sat, 2019-03-09 at 13:46 -0500, Albert E. Whale, CEH CHS CISA CISSP
> > wrote:
> > > Thank you for the response Eric.  two additional questions for
> > > clarity.
> > > 
> > > 1. If I am not using br0, should I still create it?
> > Excuse my French but this sentence from the documentation you did give
> > url from appears clear to me:
> > 'AF_PACKET establishes a software bridge between two interfaces by
> > copying packet from one interface to another (and reverse).'
> > 
> > It is a software bridge down by Suricata so you don't need a bridge at
> > kernel level.
> > 
> > > 2. If I am using the two interfaces of the bridge, do I need to run
> > > a
> > > deamon from enp1s0 -> enp4s0 and also from enp4s0 -> enp1s0?
> > If you sniff in the 2 interfaces in the Suricata instance and peer them
> > then you will have copy from one iface to the other one.
> > 
> > > 
> > > I am hearing that AF_Packet is faster than NFQueue, there just
> > > doesn't
> > > seem to be sufficient documentation to clear my questions.
> > On this side, once your setup is working. Feel free to propose some
> > explanation in the official documentation. The userguide is really
> > simple to enhance as you just need to write some restructured text and
> > do a Pull request on github.
> > 
> > BR,
> > 
> > 
> > > Thank you for your responses.
> > > 
> > > 
> > > On 3/9/19 12:02 PM, Eric Leblond wrote:
> > > > Hello,
> > > > 
> > > > On Sat, 2019-03-09 at 11:30 -0500, Albert E. Whale, CEH CHS CISA
> > > > CISSP
> > > > wrote:
> > > > > Just trying to get Clarity on this issue.
> > > > > https://docs.mirantis.com/mcp/q4-18/mcp-security-best-practices/use-cases/idps-vnf/ips-mode/afpacket.html
> > > > > This is in the read use case document:
> > > > > To enable IPS mode using the ``AF_PACKET`` Linux bridge:
> > > > > 
> > > > > Does this mean that I can use the br0 interface?
> > > > No.
> > > > 
> > > > > Or do I need to specify an instance for each of the interfaces in
> > > > > the
> > > > > bridge as Interface: and copy-iface: configuration items?
> > > > > 
> > > > > brctl show
> > > > > bridge name    bridge id                    STP
> > > > > enabled    interfaces
> > > > > br0                8000.6805ca842147    no                    enp
> > > > > 1s0
> > > > >                 enp4s0
> > > > enp1s0 and enp3s0 are the interface to peer.
> > > > 
> > > > > I'm not sure if I can use the bridge to intercept bidirectional
> > > > > traffic, or if I need a single listener for each inbound and
> > > > > outbound
> > > > > traffic.
> > > > Bridge will relay in kernel without given Suricata an option to
> > > > drop
> > > > the packets...
> > > > 
> > > > > Thank you.
> > > > > -- 
> > > > > -- 
> > > > > --
> > > > > 
> > > > > Albert E. Whale Email: Albert.Whale at IT-Security-inc.com
> > > > > Cell: 412-889-6870
> > > > > 
> > > > > _______________________________________________
> > > > > Suricata IDS Users mailing list:
> > > > > oisf-users at openinfosecfoundation.org
> > > > > Site: http://suricata-ids.org | Support:
> > > > > http://suricata-ids.org/support/
> > > > > List:
> > > > > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > > > > 
> > > > > Conference: https://suricon.net
> > > > > Trainings: https://suricata-ids.org/training/
> > > -- 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/

-- 
Andreas Herz

More information about the Oisf-users mailing list