How to configure IPS mode with AF-PACKET?

When I test IPS mode with AF_PACKET on ubuntu 20, I only have one network interface.
So I add a virtual network interface by sudo ip link add name bro type dummy and up it firstly, I have two network interface , ens33 and bro now.

bro: flags=195<UP,BROADCAST,RUNNING,NOARP>  mtu 1500
        inet6 fe80::ec93:e9ff:fe01:23cf  prefixlen 64  scopeid 0x20<link>
        ether ee:93:e9:01:23:cf  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 942  bytes 121613 (121.6 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet  netmask  broadcast
        inet6 fe80::4db7:e1fe:4257:d794  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:94:b6:e9  txqueuelen 1000  (Ethernet)
        RX packets 1279  bytes 404127 (404.1 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 704  bytes 113729 (113.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet  netmask
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 354  bytes 34195 (34.1 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 354  bytes 34195 (34.1 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Then I change the configuration file as flow:

  - interface: bro
    threads: 1
    defrag: no
    cluster-type: cluster_flow
    cluster-id: 98
    copy-mode: ips
    copy-iface: ens33
    buffer-size: 64535
    use-mmap: yes
  - interface: ens33
    threads: 1
    cluster-id: 97
    defrag: no
    cluster-type: cluster_flow
    copy-mode: ips
    copy-iface: bro
    buffer-size: 64535
    use-mmap: yes

And I add a test rules:

drop http any any -> any any (msg:"hit"; content:"bing"; reference: url,; sid:2022021701; rev:1;)

I run suricata by:

sudo suricata -c /etc/suricata/suricata.yaml --af-packet

I run curl , and get success response.
A warning log in output in fast.log:

2/16/2022-21:43:40.943398  [Drop] [**] [1:2022021701:1] hit [**] [Classification: (null)] [Priority: 3] {TCP} ->

In order to find why the reason is happing, I use wireshark to capture packet.
The packet was droped when copy from ens33 to bro. But the packet can use ens33 to connect directly.
In my mind, it should be:

But in fact:

How to solve this problem?

I’m not actually sure if this is possible. But the first issue is that ens33 has the IP address, not bro, so the kernel will use the interface it knows about as the source. So you’ll have to remove the IP address info from ens33 and give it to bro so the kernel will use bro as an IP source.

Typically AF_PACKET IPS is used between 2 devices without IP addresses, and traffic to/from the host running Suricata does not use these interfaces.

@Ish, thanks for your response. Un…but i do not understand your " 2 devices without IP addresses" means, can you provide a simple network topology diagram including suricata?
Thanks for your help.

I can’t really do a diagram. But imagine a Linux machine with 3 network interfaces: eth0, eth1, eth2.

eth0 is a management interface, it has an IP address, you can ssh to it, etc.

eth1 and eth2 are the IPS interface. They are up, but do not have any IP addresses. You run Suricata in AF_PACKET IPS mode on eth1 and eth2 in copy mode and they form a bridge, much like if the box wasn’t even there but it was a straight cable instead.

Traffic destined to this machine, or coming from this machine always goes out the management interface and is not subject to the IPS. The network bridged between eth1 and eth2 are subject to the IPS, but not the IPS machine itself.

Typically if you want to protect just the host that is running Suricata, I think you’d use nfq.

1 Like

Thanks for your reply again. Your detailed reply has resolved my question.
Express my thanks again to you.