[Oisf-users] Suricata IPS mode with AF_PACKET with multiple interfaces

[Dihin LIN]

Thanks peter,
in your example just two nics, but in my scenrio there are three more nics
in my suricata server.
How to copy one interface to another face?
eth0-eth1
eth0-eth2
eth1-eth0
eth1-eth2
eth2-eth0
eth2-eth1    like this?

Peter Manev <petermanev at gmail.com> 于2019年11月11日周一 下午4:53写道：

> On Thu, Oct 24, 2019 at 3:06 PM Dihin LIN <linzx11 at gmail.com> wrote:
> >
> > I want to deploy suricata as IPS in my vpc,
> > There are multiple network interfaces in my CVM, This CVM as a router
> between several vpcs,
> > so this CVM will forward other vpc's traffic.
> > For example i have eth0, eth1, eth2 three nics
> > How to configure the af_packet ips?
> >
>
> make sure you use AFPv2 and you could try like described here
> -
> https://suricata.readthedocs.io/en/latest/setting-up-ipsinline-for-linux.html#af-packet-ips-mode
> (here is an example below as well):
>
> af-packet:
>  - interface: enp1s0f0
>    threads: 4 # or a number that is below half the number of cores
> available
>    defrag: no
>    cluster-type: cluster_flow
>    cluster-id: 98
>    copy-mode: ips
>    copy-iface: enp1s0f1
>    tpacket-v3: no
>    ring-size: 2048
>    use-mmap: yes
>
>  - interface: enp1s0f1
>    threads: 4 # or a number that is below half the number of cores
> available
>    cluster-id: 97
>    defrag: no
>    cluster-type: cluster_flow
>    copy-mode: ips
>    copy-iface: enp1s0f0
>    tpacket-v3: no
>    ring-size: 2048
>    use-mmap: yes
>
>
>
>
> >
> >  af-packet:
> > - interface: eth0
> > threads: auto
> > defrag: yes
> > cluster-type: cluster_flow
> > cluster-id: 99
> > copy-mode: ips
> > copy-iface: eth1
> > buffer-size: 64535
> > use-mmap: yes
> >
> > - interface: eth0
> > threads: auto
> > defrag: yes
> > cluster-type: cluster_flow
> > cluster-id: 98
> > copy-mode: ips
> > copy-iface: eth2
> > buffer-size: 64535
> > use-mmap: yes
> >
> > - interface: eth1
> > threads: auto
> > cluster-id: 97
> > defrag: yes
> > cluster-type: cluster_flow
> > copy-mode: ips
> > copy-iface: eth0
> > buffer-size: 64535
> > use-mmap: yes
> >
> > - interface: eth1
> > threads: auto
> > cluster-id: 96
> > defrag: yes
> > cluster-type: cluster_flow
> > copy-mode: ips
> > copy-iface: eth2
> > buffer-size: 64535
> > use-mmap: yes
> >
> > - interface: eth2
> > threads: auto
> > cluster-id: 95
> > defrag: yes
> > cluster-type: cluster_flow
> > copy-mode: ips
> > copy-iface: eth0
> > buffer-size: 64535
> > use-mmap: yes
> >
> > - interface: eth2
> > threads: auto
> > cluster-id: 94
> > defrag: yes
> > cluster-type: cluster_flow
> > copy-mode: ips
> > copy-iface: eth1
> > buffer-size: 64535
> > use-mmap: yes
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
>
>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191114/f78fdcc8/attachment.html>