[Oisf-users] Suricata IPS mode with AF_PACKET with multiple interfaces
Dihin Lam
linzx11 at gmail.com
Mon Nov 25 10:10:39 UTC 2019
Yes you are right, but af_packet's performance is better than nfqueue
Amar Rathore - CounterSnipe Systems <amar at countersnipe.com> 于2019年11月20日周三
下午11:43写道:
> Why not use suri with iptables instead. I have successfully achieved IPS
> with a single interface on an EC2 AWS server using iptables.It even allows
> you to discard all else but is allowed. Then push allowed to Suri.
>
> Especially in this case you will be able to manage it much better.
>
> Amar
>
> On November 20, 2019 at 9:48 AM Peter Manev < petermanev at gmail.com>
> wrote:
>
>
> On Thu, Nov 14, 2019 at 9:34 AM Dihin LIN < linzx11 at gmail.com> wrote:
> >
>
> Thanks peter,
> in your example just two nics, but in my scenrio there are three more nics
> in my suricata server.
> How to copy one interface to another face?
> eth0-eth1
> eth0-eth2
> eth1-eth0
> eth1-eth2
> eth2-eth0
> eth2-eth1 like this?
>
>
> Sorry for the late replay.
> I actually have not tried something similar in AWS/cloud - not sure if
> it will work.
> So basically eth0 can send/route packets on both eth1 and eth2 and
> vice versa right ?
> Maybe you can configure just one interface and let the routing do its
> job after words?
>
> Peter Manev < petermanev at gmail.com> 于2019年11月11日周一 下午4:53写道:
> >
>
> On Thu, Oct 24, 2019 at 3:06 PM Dihin LIN < linzx11 at gmail.com> wrote:
> >
>
> I want to deploy suricata as IPS in my vpc,
> There are multiple network interfaces in my CVM, This CVM as a router
> between several vpcs,
> so this CVM will forward other vpc's traffic.
> For example i have eth0, eth1, eth2 three nics
> How to configure the af_packet ips?
>
>
> make sure you use AFPv2 and you could try like described here
> -
> https://suricata.readthedocs.io/en/latest/setting-up-ipsinline-for-linux.html#af-packet-ips-mode
> (here is an example below as well):
>
> af-packet:
> - interface: enp1s0f0
> threads: 4 # or a number that is below half the number of cores available
> defrag: no
> cluster-type: cluster_flow
> cluster-id: 98
> copy-mode: ips
> copy-iface: enp1s0f1
> tpacket-v3: no
> ring-size: 2048
> use-mmap: yes
>
> - interface: enp1s0f1
> threads: 4 # or a number that is below half the number of cores available
> cluster-id: 97
> defrag: no
> cluster-type: cluster_flow
> copy-mode: ips
> copy-iface: enp1s0f0
> tpacket-v3: no
> ring-size: 2048
> use-mmap: yes
>
>
>
>
> >
>
> af-packet:
> - interface: eth0
> threads: auto
> defrag: yes
> cluster-type: cluster_flow
> cluster-id: 99
> copy-mode: ips
> copy-iface: eth1
> buffer-size: 64535
> use-mmap: yes
>
> - interface: eth0
> threads: auto
> defrag: yes
> cluster-type: cluster_flow
> cluster-id: 98
> copy-mode: ips
> copy-iface: eth2
> buffer-size: 64535
> use-mmap: yes
>
> - interface: eth1
> threads: auto
> cluster-id: 97
> defrag: yes
> cluster-type: cluster_flow
> copy-mode: ips
> copy-iface: eth0
> buffer-size: 64535
> use-mmap: yes
>
> - interface: eth1
> threads: auto
> cluster-id: 96
> defrag: yes
> cluster-type: cluster_flow
> copy-mode: ips
> copy-iface: eth2
> buffer-size: 64535
> use-mmap: yes
>
> - interface: eth2
> threads: auto
> cluster-id: 95
> defrag: yes
> cluster-type: cluster_flow
> copy-mode: ips
> copy-iface: eth0
> buffer-size: 64535
> use-mmap: yes
>
> - interface: eth2
> threads: auto
> cluster-id: 94
> defrag: yes
> cluster-type: cluster_flow
> copy-mode: ips
> copy-iface: eth1
> buffer-size: 64535
> use-mmap: yes
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
>
>
>
> --
> Regards,
> Peter Manev
>
>
>
>
> --
> Regards,
> Peter Manev
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
>
> Kind regards
>
> Amar Rathore
> Tel: +1 617 765 0633 - PLEASE NOTE CHANGED TELEPHONE NUMBER
> Mobile: +91 8800 596506
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191125/7d91e9fb/attachment.html>
More information about the Oisf-users
mailing list