[Oisf-users] Suricata IPS mode with AF_PACKET with multiple interfaces

Peter Manev petermanev at gmail.com
Mon Nov 11 08:53:26 UTC 2019 

On Thu, Oct 24, 2019 at 3:06 PM Dihin LIN <linzx11 at gmail.com> wrote:
>
> I want to deploy suricata as IPS in my vpc,
> There are multiple network interfaces in my CVM, This CVM as a router between several vpcs,
> so this CVM will forward other vpc's traffic.
> For example i have eth0, eth1, eth2 three nics
> How to configure the af_packet ips?
>

make sure you use AFPv2 and you could try like described here
-https://suricata.readthedocs.io/en/latest/setting-up-ipsinline-for-linux.html#af-packet-ips-mode
(here is an example below as well):

af-packet:
 - interface: enp1s0f0
   threads: 4 # or a number that is below half the number of cores available
   defrag: no
   cluster-type: cluster_flow
   cluster-id: 98
   copy-mode: ips
   copy-iface: enp1s0f1
   tpacket-v3: no
   ring-size: 2048
   use-mmap: yes

 - interface: enp1s0f1
   threads: 4 # or a number that is below half the number of cores available
   cluster-id: 97
   defrag: no
   cluster-type: cluster_flow
   copy-mode: ips
   copy-iface: enp1s0f0
   tpacket-v3: no
   ring-size: 2048
   use-mmap: yes




>
>  af-packet:
> - interface: eth0
> threads: auto
> defrag: yes
> cluster-type: cluster_flow
> cluster-id: 99
> copy-mode: ips
> copy-iface: eth1
> buffer-size: 64535
> use-mmap: yes
>
> - interface: eth0
> threads: auto
> defrag: yes
> cluster-type: cluster_flow
> cluster-id: 98
> copy-mode: ips
> copy-iface: eth2
> buffer-size: 64535
> use-mmap: yes
>
> - interface: eth1
> threads: auto
> cluster-id: 97
> defrag: yes
> cluster-type: cluster_flow
> copy-mode: ips
> copy-iface: eth0
> buffer-size: 64535
> use-mmap: yes
>
> - interface: eth1
> threads: auto
> cluster-id: 96
> defrag: yes
> cluster-type: cluster_flow
> copy-mode: ips
> copy-iface: eth2
> buffer-size: 64535
> use-mmap: yes
>
> - interface: eth2
> threads: auto
> cluster-id: 95
> defrag: yes
> cluster-type: cluster_flow
> copy-mode: ips
> copy-iface: eth0
> buffer-size: 64535
> use-mmap: yes
>
> - interface: eth2
> threads: auto
> cluster-id: 94
> defrag: yes
> cluster-type: cluster_flow
> copy-mode: ips
> copy-iface: eth1
> buffer-size: 64535
> use-mmap: yes
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list