In IDS mode you can use the following actions:
Stops scanning the packet matched by a signature and skips to the end of allrules (only for this packet)
IDS fires up an alert for the packet matched by a signature
To set up IDS as a router between two networks, configure iptables to forward and masquerade packets between networks.
To route traffic in IDS mode between internal network connected to the
eth0
network interface of the IPS VM and external network connected to
eth1
, run the following commands:
sysctl -w net.ipv4.ip_forward=1
/etc/init.d/networking restart
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
Note
If you need to route the traffic that goes to the Internet, add an extra network interface to the IDPS VM and connect it to the Contrail internal network (SNAT). Route packets from internal and external networks to the Contrail internal network, so Contrail Controller can deliver them to a BGP router connected to the Internet in its turn.
You can also use In-Network-NAT
mode to simplify packets routing between
networks. In this mode return traffic does not need to be routed to the source
network.
To test the IDS
mode on the created VM:
Create /etc/suricata/rules/test.rules
file and write the
following rule:
alert http any any -> any any (msg:"Alarm detected"; content:"Alarm"; nocase;
classtype:policy-violation; sid:1; rev:1;)
Add test.rules
to a list of rules in the suricata.yaml
configuration
file.
Reboot IDPS VM or start Suricata manually in a daemon mode:
sudo suricata -c /etc/suricata/suricata.yaml -i eth0 -D
Verify if suricata.log
contains no errors after Suricata starts up:
tail -f /etc/suricata/suricata.log
Make any HTTP request with the word Alarm
.
For example:
curl http://google.com/Alarm
View the fast.log
to check if Suricata generated the appropriate alert
message: Alarm detected
:
tail -f /etc/suricata/fast.log