[Oisf-users] Suricata IPS AF_packet mode

Albert Whale Albert.Whale at IT-Security-inc.com
Fri Jun 21 21:36:24 UTC 2019 

So the only way to implement IPS with IPTables, is to employ the 
NFQUEUE.  Correct?

On 6/17/19 4:39 PM, Andreas Herz wrote:
> On 17/06/19 at 14:05, Albert Whale wrote:
>> In this mode, IPS w/AF_packet, will I be using the INPUT/OUTPUT chains, or
>> continue to use the FORWARD chain for the IPS?
>>
>> The document -
>> https://suricata.readthedocs.io/en/latest/setting-up-ipsinline-for-linux.html
>>
>> references the NFQUEUE Mode, and also utilizes only the FORWARD chain.
> In the AFPACKET IPS mode you don't go through any of the chains cause
> you directly forward packets from one interface to the other and vice
> versa.
>
>> Thank you.
>>
>> On 3/9/19 2:38 PM, Eric Leblond wrote:
>>> Bonjour,
>>>
>>> On Sat, 2019-03-09 at 13:46 -0500, Albert E. Whale, CEH CHS CISA CISSP
>>> wrote:
>>>> Thank you for the response Eric.  two additional questions for
>>>> clarity.
>>>>
>>>> 1. If I am not using br0, should I still create it?
>>> Excuse my French but this sentence from the documentation you did give
>>> url from appears clear to me:
>>> 'AF_PACKET establishes a software bridge between two interfaces by
>>> copying packet from one interface to another (and reverse).'
>>>
>>> It is a software bridge down by Suricata so you don't need a bridge at
>>> kernel level.
>>>
>>>> 2. If I am using the two interfaces of the bridge, do I need to run
>>>> a
>>>> deamon from enp1s0 -> enp4s0 and also from enp4s0 -> enp1s0?
>>> If you sniff in the 2 interfaces in the Suricata instance and peer them
>>> then you will have copy from one iface to the other one.
>>>
>>>> I am hearing that AF_Packet is faster than NFQueue, there just
>>>> doesn't
>>>> seem to be sufficient documentation to clear my questions.
>>> On this side, once your setup is working. Feel free to propose some
>>> explanation in the official documentation. The userguide is really
>>> simple to enhance as you just need to write some restructured text and
>>> do a Pull request on github.
>>>
>>> BR,
>>>
>>>
>>>> Thank you for your responses.
>>>>
>>>>
>>>> On 3/9/19 12:02 PM, Eric Leblond wrote:
>>>>> Hello,
>>>>>
>>>>> On Sat, 2019-03-09 at 11:30 -0500, Albert E. Whale, CEH CHS CISA
>>>>> CISSP
>>>>> wrote:
>>>>>> Just trying to get Clarity on this issue.
>>>>>> https://docs.mirantis.com/mcp/q4-18/mcp-security-best-practices/use-cases/idps-vnf/ips-mode/afpacket.html
>>>>>> This is in the read use case document:
>>>>>> To enable IPS mode using the ``AF_PACKET`` Linux bridge:
>>>>>>
>>>>>> Does this mean that I can use the br0 interface?
>>>>> No.
>>>>>
>>>>>> Or do I need to specify an instance for each of the interfaces in
>>>>>> the
>>>>>> bridge as Interface: and copy-iface: configuration items?
>>>>>>
>>>>>> brctl show
>>>>>> bridge name    bridge id                    STP
>>>>>> enabled    interfaces
>>>>>> br0                8000.6805ca842147    no                    enp
>>>>>> 1s0
>>>>>>                  enp4s0
>>>>> enp1s0 and enp3s0 are the interface to peer.
>>>>>
>>>>>> I'm not sure if I can use the bridge to intercept bidirectional
>>>>>> traffic, or if I need a single listener for each inbound and
>>>>>> outbound
>>>>>> traffic.
>>>>> Bridge will relay in kernel without given Suricata an option to
>>>>> drop
>>>>> the packets...
>>>>>
>>>>>> Thank you.
>>>>>> -- 
>>>>>> -- 
>>>>>> --
>>>>>>
>>>>>> Albert E. Whale Email: Albert.Whale at IT-Security-inc.com
>>>>>> Cell: 412-889-6870
>>>>>>
>>>>>> _______________________________________________
>>>>>> Suricata IDS Users mailing list:
>>>>>> oisf-users at openinfosecfoundation.org
>>>>>> Site: http://suricata-ids.org | Support:
>>>>>> http://suricata-ids.org/support/
>>>>>> List:
>>>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>>>
>>>>>> Conference: https://suricon.net
>>>>>> Trainings: https://suricata-ids.org/training/
>>>> -- 
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/

More information about the Oisf-users mailing list