IDS mode

IDS modeΒΆ

In IDS mode you can use the following actions:

  • Pass

    Stops scanning the packet matched by a signature and skips to the end of allrules (only for this packet)

  • Alert

    IDS fires up an alert for the packet matched by a signature

To set up IDS as a router between two networks, configure iptables to forward and masquerade packets between networks.

To route traffic in IDS mode between internal network connected to the eth0 network interface of the IPS VM and external network connected to eth1, run the following commands:

sysctl -w net.ipv4.ip_forward=1
/etc/init.d/networking restart
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

Note

If you need to route the traffic that goes to the Internet, add an extra network interface to the IDPS VM and connect it to the Contrail internal network (SNAT). Route packets from internal and external networks to the Contrail internal network, so Contrail Controller can deliver them to a BGP router connected to the Internet in its turn.

You can also use In-Network-NAT mode to simplify packets routing between networks. In this mode return traffic does not need to be routed to the source network.

To test the IDS mode on the created VM:

  1. Create /etc/suricata/rules/test.rules file and write the following rule:

    alert http any any -> any any (msg:"Alarm detected"; content:"Alarm"; nocase;
    classtype:policy-violation; sid:1; rev:1;)
    
  2. Add test.rules to a list of rules in the suricata.yaml configuration file.

  3. Reboot IDPS VM or start Suricata manually in a daemon mode:

    sudo suricata -c /etc/suricata/suricata.yaml -i eth0 -D
    
  4. Verify if suricata.log contains no errors after Suricata starts up:

    tail -f /etc/suricata/suricata.log
    
  5. Make any HTTP request with the word Alarm. For example:

    curl http://google.com/Alarm
    
  6. View the fast.log to check if Suricata generated the appropriate alert message: Alarm detected:

    tail -f /etc/suricata/fast.log