[Oisf-users] Suricata IPS AF_packet mode

Eric Leblond eric at regit.org
Sat Mar 9 19:38:41 UTC 2019 

Bonjour,

On Sat, 2019-03-09 at 13:46 -0500, Albert E. Whale, CEH CHS CISA CISSP
wrote:
> Thank you for the response Eric.  two additional questions for
> clarity.
> 
> 1. If I am not using br0, should I still create it?

Excuse my French but this sentence from the documentation you did give
url from appears clear to me:
'AF_PACKET establishes a software bridge between two interfaces by
copying packet from one interface to another (and reverse).'

It is a software bridge down by Suricata so you don't need a bridge at
kernel level.

> 
> 2. If I am using the two interfaces of the bridge, do I need to run
> a 
> deamon from enp1s0 -> enp4s0 and also from enp4s0 -> enp1s0?

If you sniff in the 2 interfaces in the Suricata instance and peer them
then you will have copy from one iface to the other one.

> 
> 
> I am hearing that AF_Packet is faster than NFQueue, there just
> doesn't 
> seem to be sufficient documentation to clear my questions.

On this side, once your setup is working. Feel free to propose some
explanation in the official documentation. The userguide is really
simple to enhance as you just need to write some restructured text and
do a Pull request on github.

BR,


> 
> Thank you for your responses.
> 
> 
> On 3/9/19 12:02 PM, Eric Leblond wrote:
> > Hello,
> > 
> > On Sat, 2019-03-09 at 11:30 -0500, Albert E. Whale, CEH CHS CISA
> > CISSP
> > wrote:
> > > Just trying to get Clarity on this issue.
> > > https://docs.mirantis.com/mcp/q4-18/mcp-security-best-practices/use-cases/idps-vnf/ips-mode/afpacket.html
> > > This is in the read use case document:
> > > To enable IPS mode using the ``AF_PACKET`` Linux bridge:
> > > 
> > > Does this mean that I can use the br0 interface?
> > No.
> > 
> > > Or do I need to specify an instance for each of the interfaces in
> > > the
> > > bridge as Interface: and copy-iface: configuration items?
> > > 
> > > brctl show
> > > bridge name    bridge id                    STP
> > > enabled    interfaces
> > > br0                8000.6805ca842147    no                    enp
> > > 1s0
> > >                                                                  
> > >    
> > >                enp4s0
> > enp1s0 and enp3s0 are the interface to peer.
> > 
> > > I'm not sure if I can use the bridge to intercept bidirectional
> > > traffic, or if I need a single listener for each inbound and
> > > outbound
> > > traffic.
> > Bridge will relay in kernel without given Suricata an option to
> > drop
> > the packets...
> > 
> > > Thank you.
> > > -- 
> > > -- 
> > > --
> > > 
> > > Albert E. Whale Email: Albert.Whale at IT-Security-inc.com
> > > Cell: 412-889-6870
> > > 
> > > _______________________________________________
> > > Suricata IDS Users mailing list: 
> > > oisf-users at openinfosecfoundation.org
> > > Site: http://suricata-ids.org | Support:
> > > http://suricata-ids.org/support/
> > > List:
> > > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > > 
> > > Conference: https://suricon.net
> > > Trainings: https://suricata-ids.org/training/
> --

More information about the Oisf-users mailing list