IPS mode using AF_PACKET

IPS mode using AF_PACKET

AF_PACKET establishes a software bridge between two interfaces by copying packet from one interface to another (and reverse).

To enable IPS mode using the ``AF_PACKET`` Linux bridge:

  1. Edit the af-packet section in the suricata.yaml configuration file:

    af-packet:
    - interface: eth0
    threads: auto
    defrag: yes
    cluster-type: cluster_flow
    cluster-id: 98
    copy-mode: ips
    copy-iface: eth1
    buffer-size: 64535
    use-mmap: yes
    - interface: eth1
    threads: auto
    cluster-id: 97
    defrag: yes
    cluster-type: cluster_flow
    copy-mode: ips
    copy-iface: eth0
    buffer-size: 64535
    use-mmap: yes
    

    Note

    cluster-id is used to group threads for a corresponding interface when load balancing. cluster-id values should be different for every interface.

  2. Start Suricata with the --af-packet option:

    suricata -c /etc/suricata/suricata.yaml --af-packet -D
    
  3. Verify that Suricata has turned on the IPS mode.

    1. Modify the test rule in the /etc/suricata/rules/test.rules file to drop or reject packets:

      drop http any any -> any any (msg:"Alarm detected"; content:"Alarm";
      nocase; classtype:policy-violation; sid:1; rev:1;)
      

      or

      reject http any any -> any any (msg:"Alarm detected"; content:"Alarm";
      nocase; classtype:policy-violation; sid:1; rev:1;)
      
    2. View http traffic on the destination interface eth1 on the IPS VM:

      sudo tcpdump -i eth1 tcp port <HTTP_PORT> -A -w tcpdump.output
      
    3. Download the test file with the Alarm word inside on the IPS VM. For example:

      wget http://<WEB_SERVER_IP>/test
      
    4. Terminate tcpdump and verify if the test file with the Alarm word was blocked by IPS in the tcpdump output log that contains traffic bridged to the destination interface eth1.