Suricata-IDS in AF_PACKET IPS mode
by Jason.nix from LinuxQuestions.org on (#6F9MR)
Hello,
I want to run Suricata-IDS in AF_PACKET IPS mode. My Suricata-IDS server has the following NICs:
Code:# ifconfig
CLIENT: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::a00:27ff:fee5:267c prefixlen 64 scopeid 0x20<link>
ether 08:00:27:e5:26:7c txqueuelen 1000 (Ethernet)
RX packets 501 bytes 57124 (55.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 125 bytes 27865 (27.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
NAT: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
inet6 fe80::a00:27ff:fe7b:8f51 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:7b:8f:51 txqueuelen 1000 (Ethernet)
RX packets 13434 bytes 2219918 (2.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11024 bytes 9068946 (8.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
SERVER: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::a00:27ff:febc:c5a7 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:bc:c5:a7 txqueuelen 1000 (Ethernet)
RX packets 197 bytes 28169 (27.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 223 bytes 38091 (37.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0According to the Suricata-IDS documents, NICs only need to be up and do not need an IP address.
The Suricata-IDS server is located between a client and server as follows:
Code:Client ---> Suricata-IDS ---> ServerThe client IP address is 192.168.1.1/24 and the server IP address is 192.168.1.2/24. I edited the /etc/suricata/suricata.yaml file and changed the af-packet part as below:
Code:af-packet:
- interface: CLIENT
threads: 1
defrag: no
cluster-type: cluster_flow
cluster-id: 98
copy-mode: ips
copy-iface: SERVER
buffer-size: 64535
use-mmap: yes
- interface: SERVER
threads: 1
cluster-id: 97
defrag: no
cluster-type: cluster_flow
copy-mode: ips
copy-iface: CLIENT
buffer-size: 64535
use-mmap: yesAfter it, I ran Suricata-IDS:
Code:# suricata --af-packet
i: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode
i: threads: Threads created -> W: 2 FM: 1 FR: 1 Engine started.But, client and server can't ping each other:
Code:C:\> ping 192.168.1.2
Pinging 192.168.1.2 with 32 bytes of data:
Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.
Ping statistics for 192.168.1.2:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
C:\>Suricata-IDS reports are as follows:
Code:# cat /var/log/suricata/suricata.log
[1520 - Suricata-Main] 2023-10-04 03:23:09 Notice: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: cpu: CPUs/cores online: 2
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: af-packet: Setting IPS mode
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: exception-policy: master exception-policy set to: auto
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: ioctl: CLIENT: MTU 1500
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: ioctl: SERVER: MTU 1500
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: conf: Running in live mode, activating unix socket
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: logopenfile: fast output device (regular) initialized: fast.log
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: logopenfile: eve-log output device (regular) initialized: eve.json
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: logopenfile: stats output device (regular) initialized: stats.log
[1520 - Suricata-Main] 2023-10-04 03:23:10 Info: detect: 1 rule files processed. 35168 rules successfully loaded, 0 rules failed
[1520 - Suricata-Main] 2023-10-04 03:23:10 Info: threshold-config: Threshold config parsed: 0 rule(s) found
[1520 - Suricata-Main] 2023-10-04 03:23:10 Info: detect: 35171 signatures processed. 1248 are IP-only rules, 5282 are inspecting packet payload, 28429 inspect application layer, 108 are decoder event only
[1520 - Suricata-Main] 2023-10-04 03:23:14 Info: af-packet: CLIENT: AF_PACKET IPS mode activated CLIENT->SERVER
[1520 - Suricata-Main] 2023-10-04 03:23:14 Info: runmodes: CLIENT: creating 1 thread
[1520 - Suricata-Main] 2023-10-04 03:23:14 Info: af-packet: SERVER: AF_PACKET IPS mode activated SERVER->CLIENT
[1520 - Suricata-Main] 2023-10-04 03:23:14 Info: runmodes: SERVER: creating 1 thread
[1522 - W#01-SERVER] 2023-10-04 03:23:14 Info: ioctl: SERVER: MTU 1500
[1522 - W#01-SERVER] 2023-10-04 03:23:14 Info: ioctl: CLIENT: MTU 1500
[1520 - Suricata-Main] 2023-10-04 03:23:14 Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket'
[1520 - Suricata-Main] 2023-10-04 03:23:14 Notice: threads: Threads created -> W: 2 FM: 1 FR: 1 Engine started.
[1520 - Suricata-Main] 2023-10-04 03:24:53 Notice: suricata: Signal Received. Stopping engine.
[1520 - Suricata-Main] 2023-10-04 03:24:54 Info: suricata: time elapsed 99.884s
[1520 - Suricata-Main] 2023-10-04 03:24:55 Info: counters: Alerts: 0
[1520 - Suricata-Main] 2023-10-04 03:24:55 Notice: device: CLIENT: packets: 1, drops: 0 (0.00%), invalid chksum: 0
[1520 - Suricata-Main] 2023-10-04 03:24:55 Notice: device: SERVER: packets: 12, drops: 0 (0.00%), invalid chksum: 0And:
Code:# cat /var/log/suricata/fast.log
#Where is the configuration file wrong?
Thank you.
I want to run Suricata-IDS in AF_PACKET IPS mode. My Suricata-IDS server has the following NICs:
Code:# ifconfig
CLIENT: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::a00:27ff:fee5:267c prefixlen 64 scopeid 0x20<link>
ether 08:00:27:e5:26:7c txqueuelen 1000 (Ethernet)
RX packets 501 bytes 57124 (55.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 125 bytes 27865 (27.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
NAT: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
inet6 fe80::a00:27ff:fe7b:8f51 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:7b:8f:51 txqueuelen 1000 (Ethernet)
RX packets 13434 bytes 2219918 (2.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11024 bytes 9068946 (8.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
SERVER: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::a00:27ff:febc:c5a7 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:bc:c5:a7 txqueuelen 1000 (Ethernet)
RX packets 197 bytes 28169 (27.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 223 bytes 38091 (37.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0According to the Suricata-IDS documents, NICs only need to be up and do not need an IP address.
The Suricata-IDS server is located between a client and server as follows:
Code:Client ---> Suricata-IDS ---> ServerThe client IP address is 192.168.1.1/24 and the server IP address is 192.168.1.2/24. I edited the /etc/suricata/suricata.yaml file and changed the af-packet part as below:
Code:af-packet:
- interface: CLIENT
threads: 1
defrag: no
cluster-type: cluster_flow
cluster-id: 98
copy-mode: ips
copy-iface: SERVER
buffer-size: 64535
use-mmap: yes
- interface: SERVER
threads: 1
cluster-id: 97
defrag: no
cluster-type: cluster_flow
copy-mode: ips
copy-iface: CLIENT
buffer-size: 64535
use-mmap: yesAfter it, I ran Suricata-IDS:
Code:# suricata --af-packet
i: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode
i: threads: Threads created -> W: 2 FM: 1 FR: 1 Engine started.But, client and server can't ping each other:
Code:C:\> ping 192.168.1.2
Pinging 192.168.1.2 with 32 bytes of data:
Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.
Ping statistics for 192.168.1.2:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
C:\>Suricata-IDS reports are as follows:
Code:# cat /var/log/suricata/suricata.log
[1520 - Suricata-Main] 2023-10-04 03:23:09 Notice: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: cpu: CPUs/cores online: 2
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: af-packet: Setting IPS mode
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: exception-policy: master exception-policy set to: auto
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: ioctl: CLIENT: MTU 1500
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: ioctl: SERVER: MTU 1500
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: conf: Running in live mode, activating unix socket
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: logopenfile: fast output device (regular) initialized: fast.log
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: logopenfile: eve-log output device (regular) initialized: eve.json
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: logopenfile: stats output device (regular) initialized: stats.log
[1520 - Suricata-Main] 2023-10-04 03:23:10 Info: detect: 1 rule files processed. 35168 rules successfully loaded, 0 rules failed
[1520 - Suricata-Main] 2023-10-04 03:23:10 Info: threshold-config: Threshold config parsed: 0 rule(s) found
[1520 - Suricata-Main] 2023-10-04 03:23:10 Info: detect: 35171 signatures processed. 1248 are IP-only rules, 5282 are inspecting packet payload, 28429 inspect application layer, 108 are decoder event only
[1520 - Suricata-Main] 2023-10-04 03:23:14 Info: af-packet: CLIENT: AF_PACKET IPS mode activated CLIENT->SERVER
[1520 - Suricata-Main] 2023-10-04 03:23:14 Info: runmodes: CLIENT: creating 1 thread
[1520 - Suricata-Main] 2023-10-04 03:23:14 Info: af-packet: SERVER: AF_PACKET IPS mode activated SERVER->CLIENT
[1520 - Suricata-Main] 2023-10-04 03:23:14 Info: runmodes: SERVER: creating 1 thread
[1522 - W#01-SERVER] 2023-10-04 03:23:14 Info: ioctl: SERVER: MTU 1500
[1522 - W#01-SERVER] 2023-10-04 03:23:14 Info: ioctl: CLIENT: MTU 1500
[1520 - Suricata-Main] 2023-10-04 03:23:14 Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket'
[1520 - Suricata-Main] 2023-10-04 03:23:14 Notice: threads: Threads created -> W: 2 FM: 1 FR: 1 Engine started.
[1520 - Suricata-Main] 2023-10-04 03:24:53 Notice: suricata: Signal Received. Stopping engine.
[1520 - Suricata-Main] 2023-10-04 03:24:54 Info: suricata: time elapsed 99.884s
[1520 - Suricata-Main] 2023-10-04 03:24:55 Info: counters: Alerts: 0
[1520 - Suricata-Main] 2023-10-04 03:24:55 Notice: device: CLIENT: packets: 1, drops: 0 (0.00%), invalid chksum: 0
[1520 - Suricata-Main] 2023-10-04 03:24:55 Notice: device: SERVER: packets: 12, drops: 0 (0.00%), invalid chksum: 0And:
Code:# cat /var/log/suricata/fast.log
#Where is the configuration file wrong?
Thank you.