[Oisf-users] Suricata IPS mode with AF_PACKET with multiple interfaces

Peter Manev petermanev at gmail.com
Wed Nov 20 14:48:44 UTC 2019 

On Thu, Nov 14, 2019 at 9:34 AM Dihin LIN <linzx11 at gmail.com> wrote:
>
> Thanks peter,
> in your example just two nics, but in my scenrio there are three more nics in my suricata server.
> How to copy one interface to another face?
> eth0-eth1
> eth0-eth2
> eth1-eth0
> eth1-eth2
> eth2-eth0
> eth2-eth1    like this?
>

Sorry for the late replay.
I actually have not tried something similar in AWS/cloud - not sure if
it will work.
So basically eth0 can send/route packets on both eth1 and eth2 and
vice versa right ?
Maybe you can configure just one interface and let the routing do its
job after words?

> Peter Manev <petermanev at gmail.com> 于2019年11月11日周一 下午4:53写道:
>>
>> On Thu, Oct 24, 2019 at 3:06 PM Dihin LIN <linzx11 at gmail.com> wrote:
>> >
>> > I want to deploy suricata as IPS in my vpc,
>> > There are multiple network interfaces in my CVM, This CVM as a router between several vpcs,
>> > so this CVM will forward other vpc's traffic.
>> > For example i have eth0, eth1, eth2 three nics
>> > How to configure the af_packet ips?
>> >
>>
>> make sure you use AFPv2 and you could try like described here
>> -https://suricata.readthedocs.io/en/latest/setting-up-ipsinline-for-linux.html#af-packet-ips-mode
>> (here is an example below as well):
>>
>> af-packet:
>>  - interface: enp1s0f0
>>    threads: 4 # or a number that is below half the number of cores available
>>    defrag: no
>>    cluster-type: cluster_flow
>>    cluster-id: 98
>>    copy-mode: ips
>>    copy-iface: enp1s0f1
>>    tpacket-v3: no
>>    ring-size: 2048
>>    use-mmap: yes
>>
>>  - interface: enp1s0f1
>>    threads: 4 # or a number that is below half the number of cores available
>>    cluster-id: 97
>>    defrag: no
>>    cluster-type: cluster_flow
>>    copy-mode: ips
>>    copy-iface: enp1s0f0
>>    tpacket-v3: no
>>    ring-size: 2048
>>    use-mmap: yes
>>
>>
>>
>>
>> >
>> >  af-packet:
>> > - interface: eth0
>> > threads: auto
>> > defrag: yes
>> > cluster-type: cluster_flow
>> > cluster-id: 99
>> > copy-mode: ips
>> > copy-iface: eth1
>> > buffer-size: 64535
>> > use-mmap: yes
>> >
>> > - interface: eth0
>> > threads: auto
>> > defrag: yes
>> > cluster-type: cluster_flow
>> > cluster-id: 98
>> > copy-mode: ips
>> > copy-iface: eth2
>> > buffer-size: 64535
>> > use-mmap: yes
>> >
>> > - interface: eth1
>> > threads: auto
>> > cluster-id: 97
>> > defrag: yes
>> > cluster-type: cluster_flow
>> > copy-mode: ips
>> > copy-iface: eth0
>> > buffer-size: 64535
>> > use-mmap: yes
>> >
>> > - interface: eth1
>> > threads: auto
>> > cluster-id: 96
>> > defrag: yes
>> > cluster-type: cluster_flow
>> > copy-mode: ips
>> > copy-iface: eth2
>> > buffer-size: 64535
>> > use-mmap: yes
>> >
>> > - interface: eth2
>> > threads: auto
>> > cluster-id: 95
>> > defrag: yes
>> > cluster-type: cluster_flow
>> > copy-mode: ips
>> > copy-iface: eth0
>> > buffer-size: 64535
>> > use-mmap: yes
>> >
>> > - interface: eth2
>> > threads: auto
>> > cluster-id: 94
>> > defrag: yes
>> > cluster-type: cluster_flow
>> > copy-mode: ips
>> > copy-iface: eth1
>> > buffer-size: 64535
>> > use-mmap: yes
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >
>> > Conference: https://suricon.net
>> > Trainings: https://suricata-ids.org/training/
>>
>>
>>
>> --
>> Regards,
>> Peter Manev



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list