How to configure suricata IPS mode with AF-PACKET?

Logitech_Flames · July 6, 2022, 1:18pm

i install suricata fresh on ubuntu 20.04

then i go in suricata.yml

i have two nic enp0s3 enp0s4
then i add this:
community-id: true
detect-engine:

rule-reload: true`

af-packet:
  - interface: enp0s3 
    threads: 1
    defrag: no
    cluster-type: cluster_flow
    cluster-id: 98
    copy-mode: ips
    copy-iface: enp0s4
    buffer-size: 64535
    use-mmap: yes
  - interface: enp0s4
    threads: 1
    cluster-id: 97
    defrag: no
    cluster-type: cluster_flow
    copy-mode: ips
    copy-iface: enp0s3 
    buffer-size: 64535
    use-mmap: yes

now i don’t understand how to start suricata in IPS mode and add any rule to test it or is there any further configuration to start suricata in IPS mode.

Jeff_Lucovsky · July 17, 2022, 12:22pm

Hi,

This looks like a good start but cross-check your settings with those at 13. Setting up IPS/inline for Linux — Suricata 7.0.0-dev documentation

Ensure that Suricata is started with --af-packet – if everything else is fine – check suricata.log for errors – Suricata is now running in IPS mode

Topic		Replies	Views
Suricata af-packet ips Help ips	1	667	January 17, 2023
Af_packet IPS mode on centos8 or Rocky8 Help ips , centos	3	1254	December 20, 2021
Need help with Suricata IPS Setup Help	1	923	September 13, 2021
Wrong --af-packet configuration but why? Help suricata	0	19	September 4, 2024
Suricata does not block attacks Help ips , rules , suricata	7	70	July 30, 2024

How to configure suricata IPS mode with AF-PACKET?

Related topics