To install IDPS on a VM:
Configure network interfaces. For example:
#The loopback network interface
auto lo
iface lo inet loopback
#The internal network interface
auto eth0
iface eth0 inet dhcp
#The external network interface
auto eth1
iface eth1 inet dhcp
#The management network interface (recommended)
auto eth2
iface eth2 inet dhcp
Install Suricata IDPS.
Note
To enable NFQUEUE for IPS mode, install Netfilter packages and
configure Suricata with --enable-nfqueue option before build.
See the IPS mode with NFQUEUE section below for steps.
To capture traffic as it comes to a NIC avoiding packets reassembling
by a network adapter, turn off offloads for a network interface
you want to sniff. For example, configure eth0 with ethtool as root:
ethtool -K eth0 rx off tx off sg off tso off gso off rxvlan off txvlan off gro off lro off
Note
If offloads are enabled, this may lead to reassembling incoming packets that results in changing packet structure and increasing its size. Suricata may not process reassembled packets correctly. If GRO and LRO are enabled, you will see the error message when launching Suricata:
[ERRCODE: SC_ERR_PCAP_CREATE(21)] - Using Pcap capture with GRO or LRO
activated can lead to capture problems.
To extract files over 1 Mb in size from HTTP traffic, increase a value
of the stream engine option stream.reassembly.depth (default is 1 Mb),
which controls the depth into a stream in which Suricata looks,
or set to 0 for no limit in suricata.yaml.
You can run IDPS in two modes based on a service type:
Analyzing traffic and generating alerts.
Blocking or modifying packets and generating alerts.
You can deploy IDPS in two ways based on a service mode:
IDS or IPS is placed between at least two networks and packets are routed.
IDS or IPS forwards packets between network interfaces without modification.
See also