[Oisf-users] Suricata IPS AF_packet mode
Albert E. Whale, CEH CHS CISA CISSP
Albert.Whale at IT-Security-inc.com
Sat Mar 9 18:46:34 UTC 2019
Thank you for the response Eric. two additional questions for clarity.
1. If I am not using br0, should I still create it?
2. If I am using the two interfaces of the bridge, do I need to run a
deamon from enp1s0 -> enp4s0 and also from enp4s0 -> enp1s0?
I am hearing that AF_Packet is faster than NFQueue, there just doesn't
seem to be sufficient documentation to clear my questions.
Thank you for your responses.
On 3/9/19 12:02 PM, Eric Leblond wrote:
> Hello,
>
> On Sat, 2019-03-09 at 11:30 -0500, Albert E. Whale, CEH CHS CISA CISSP
> wrote:
>> Just trying to get Clarity on this issue.
>> https://docs.mirantis.com/mcp/q4-18/mcp-security-best-practices/use-cases/idps-vnf/ips-mode/afpacket.html
>> This is in the read use case document:
>> To enable IPS mode using the ``AF_PACKET`` Linux bridge:
>>
>> Does this mean that I can use the br0 interface?
> No.
>
>> Or do I need to specify an instance for each of the interfaces in the
>> bridge as Interface: and copy-iface: configuration items?
>>
>> brctl show
>> bridge name bridge id STP enabled interfaces
>> br0 8000.6805ca842147 no enp1s0
>>
>> enp4s0
> enp1s0 and enp3s0 are the interface to peer.
>
>> I'm not sure if I can use the bridge to intercept bidirectional
>> traffic, or if I need a single listener for each inbound and outbound
>> traffic.
> Bridge will relay in kernel without given Suricata an option to drop
> the packets...
>
>> Thank you.
>> --
>> --
>> --
>>
>> Albert E. Whale Email: Albert.Whale at IT-Security-inc.com
>> Cell: 412-889-6870
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support:
>> http://suricata-ids.org/support/
>> List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
--
--
--
Albert E. Whale, Email: Albert.Whale at IT-Security-inc.com
Cell: 412-889-6870
More information about the Oisf-users
mailing list