Hello,
It is written in the Suricata-IDS documents:
AF_PACKET capture method is supporting a IPS/Tap mode. In this mode, you just need the interfaces to be up. Suricata will take care of copying the packets from one interface to the other. No iptables or nftables configuration is necessary.
You need to dedicate two network interfaces for this mode. The configuration is made via configuration variable available in the description of an AF_PACKET interface.
This means that NICs should only be up and should not have an IP address. So, does Suricata-IDS automatically give them the IP address? If yes, I ran Suricata-IDS as below:
# suricata --af-packet -D
Then, I checked the NICs and they still don’t have an IP address!
Why?
You are correct, the interfaces should be up with no IP addresses set.
Suricata does not give the interfaces an IP address. Suricata forms a bridge, much like as if you took the 2 cables and directly connected them. Packets read one one interface get written out the other (after inspection).
If you need an IP address for management, use a 3rd network card plugged into your management network.
Hello,
Thank you so much for your reply.
So, if the IP address of the client is 192.168.1.1 and the IP address of the server is 192.168.1.2, then Suricata-IDS will connect these two IP addresses. I have three questions:
1- Should the client be able to ping the server when Suricata-IDS is running in bridged mode?
2- How do I troubleshoot the connection?
3- When the NICs in the Suricata-IDS server do not have any IP addresses, then how does Suricata-IDS transmit packets from the client to the server and vice versa? Routing table or something else?