AF_PACKET establishes a software bridge between two interfaces by copying
packet from one interface to another (and reverse).
To enable IPS mode using the ``AF_PACKET`` Linux bridge:
Edit the af-packet section in the suricata.yaml configuration file:
af-packet:
- interface: eth0
threads: auto
defrag: yes
cluster-type: cluster_flow
cluster-id: 98
copy-mode: ips
copy-iface: eth1
buffer-size: 64535
use-mmap: yes
- interface: eth1
threads: auto
cluster-id: 97
defrag: yes
cluster-type: cluster_flow
copy-mode: ips
copy-iface: eth0
buffer-size: 64535
use-mmap: yes
Note
cluster-id is used to group threads for a corresponding interface when load
balancing. cluster-id values should be different for every interface.
Start Suricata with the --af-packet option:
suricata -c /etc/suricata/suricata.yaml --af-packet -D
Verify that Suricata has turned on the IPS mode.
Modify the test rule in the /etc/suricata/rules/test.rules file
to drop or reject packets:
drop http any any -> any any (msg:"Alarm detected"; content:"Alarm";
nocase; classtype:policy-violation; sid:1; rev:1;)
or
reject http any any -> any any (msg:"Alarm detected"; content:"Alarm";
nocase; classtype:policy-violation; sid:1; rev:1;)
View http traffic on the destination interface eth1 on the IPS VM:
sudo tcpdump -i eth1 tcp port <HTTP_PORT> -A -w tcpdump.output
Download the test file with the Alarm word inside on the IPS VM.
For example:
wget http://<WEB_SERVER_IP>/test
Terminate tcpdump and verify if the test file with the Alarm
word was blocked by IPS in the tcpdump output log that contains
traffic bridged to the destination interface eth1.