[Oisf-users] Suricata IPS AF_packet mode

Albert E. Whale, CEH CHS CISA CISSP Albert.Whale at IT-Security-inc.com
Sat Mar 9 18:46:34 UTC 2019 

Thank you for the response Eric.  two additional questions for clarity.

1. If I am not using br0, should I still create it?

2. If I am using the two interfaces of the bridge, do I need to run a 
deamon from enp1s0 -> enp4s0 and also from enp4s0 -> enp1s0?


I am hearing that AF_Packet is faster than NFQueue, there just doesn't 
seem to be sufficient documentation to clear my questions.

Thank you for your responses.


On 3/9/19 12:02 PM, Eric Leblond wrote:
> Hello,
>
> On Sat, 2019-03-09 at 11:30 -0500, Albert E. Whale, CEH CHS CISA CISSP
> wrote:
>> Just trying to get Clarity on this issue.
>> https://docs.mirantis.com/mcp/q4-18/mcp-security-best-practices/use-cases/idps-vnf/ips-mode/afpacket.html
>> This is in the read use case document:
>> To enable IPS mode using the ``AF_PACKET`` Linux bridge:
>>
>> Does this mean that I can use the br0 interface?
> No.
>
>> Or do I need to specify an instance for each of the interfaces in the
>> bridge as Interface: and copy-iface: configuration items?
>>
>> brctl show
>> bridge name    bridge id                    STP enabled    interfaces
>> br0                8000.6805ca842147    no                    enp1s0
>>                                                                     
>>                enp4s0
> enp1s0 and enp3s0 are the interface to peer.
>
>> I'm not sure if I can use the bridge to intercept bidirectional
>> traffic, or if I need a single listener for each inbound and outbound
>> traffic.
> Bridge will relay in kernel without given Suricata an option to drop
> the packets...
>
>> Thank you.
>> -- 
>> -- 
>> --
>>
>> Albert E. Whale Email: Albert.Whale at IT-Security-inc.com
>> Cell: 412-889-6870
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support:
>> http://suricata-ids.org/support/
>> List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
-- 
-- 
--

Albert E. Whale, Email: Albert.Whale at IT-Security-inc.com
Cell: 412-889-6870

More information about the Oisf-users mailing list