Does AF_Packet now support the IPS mode?

SecurityDad · January 10, 2021, 4:26pm

I see on the features page (All features | Suricata), the following information:

Packet acquisition

High performance capture
- AF_PACKET
  - experimental eBPF and XDP modes available
- PF_RING
- NETMAP
Standard capture
- PCAP
- NFLOG (netfilter integration)
IPS mode
- Netfilter based on Linux (nfqueue)
  - fail open support
- ipfw based on FreeBSD and NetBSD
- AF_PACKET based on Linux
- NETMAP
Capture cards and specialized devices
- Endace
- Napatech
- Tilera

Does this mean that IPS is supported with the AF_Packet? What is the performance difference with AF_Packet and NFQueue?

ish · January 11, 2021, 5:21pm

I can’t comment on the performance differences, but they do work somewhat difference. AF_PACKET IPS works by copying the packets received on one interface to another, so its bridging the ethernet interfaces. So this may determine if AF_PACKET can be used for you or not.

SecurityDad · January 11, 2021, 5:40pm

Thank you @ish, this is perfect for an inline filter.

Does it still act like an IPS @ish or is the bridge still copying the content if it is told to drop it?

ish · January 11, 2021, 7:28pm

It can still act as an IPS. Just pay attention to the copy-mode in your af-packet section when setting up the interfaces for the bridge.

Topic		Replies	Views
Why does af-packet not support IPS? Help	3	915	January 20, 2021
Af-packet vs nfqueue in IPS mode Help	1	675	May 16, 2023
AF_Packet upload performance problems when running in IPS mode and using a linux bridge interface Help	3	1081	March 11, 2021
AF_Packets using only one capture thread Help ips	3	1991	April 5, 2021
Suricata af-packet ips Help ips	1	661	January 17, 2023

Does AF_Packet now support the IPS mode?

Packet acquisition

Related Topics