-
IPS VM is Fedora 36. Host Machine is Fedora 35.
-
Hypervisor configuration was performed using libvirtd, a VM management tool of KVM. The current configuration is the same as in Figure 1.
-
The two interfaces used as af-packet pairs in Suricata VMs handle communication between the internal VMs, not the external internet, so only the internal interfaces are used.
-
Result of packet response (SYN-ACK) according to vNIC from Suricata VM (client makes a request to HTTP server with curl and receives 200 OK response)
linux bridge (Suricata Process Off)
- virtio: Success
- e1000: SucessSuricata af-packet (linux bridge Off)
- virtio: Fail
- e1000: Sucess
The af-packet in Suricata VM configured with Fedora 36 on Hyper-V worked fine.
In addition, in very few cases, a packet response may come in virtio mode. However, there were a lot of retransmissions and it took a very long time to get a response. See Figure 3.
Fig. 1 Suricata VM Network Config
Fig. 2 VM/Network Diagram
Fig. 3 tcpdump capture from server