I am running Suricata in af-packet, IPS Mode, using two interfaces in the copy-mode section. I have observed two issues in this mode:
When activities are identified, I cannot find the packet in the IPTables blocked rules. The IP Address is listed in the blocked list, but the connection does not appear to have reached the iptables setting.
I am currently using the NetworkManager for the two interfaces. Only one appears to receive the dhcp address. Is NetworkManager interfering with tcp traffic from suricata to iptables?
I have tried to use NFQ settings, but I cannot get dhcp traffic through the configuration. I think that Network Manager is interrupting the communication.
If you run the AF-Packet IPS mode, there is no relation to the Netfilter framework which would be if you run NFQUEUE. So unless you have a postprocess script, nothing will tell netfilter to set an IP to a blocklist directly from Suricata.
Thank you Andreas, however if I identify the actual IP Address, I will find it in the IPTables Block list, and therefore if I attempt to directly Ping the address, i do not get a connection. This seems to indicate to me that IPTables is working, but that the actual count is not being updated. I am attempting to find the latest updates for Ubuntu.
I believe that this is outside of the Suricata tool, and an issue with IPTables.
Are you running sshguard or fail2ban or other tools for the blocklist?
I just need to emphasize, Suricata does not directly interact with netfilter in AF_PACKET IPS mode and in the NFQUEUE IPS mode Suricata is just waiting for the packets handed over to Suricata by netfilter through the NFQUEUE and once Suricata is done it determines a verdict which is in most cases either ACCEPT or DROP.
So unless there is something else on our system taking care of this, it’s unrelated to Suricata.
Just a note here. When using Suricata IPS in AF_PACKET mode you are essentially creating a “dumb” ethernet bridge and I do not recommend having an IP address on either of the interfaces.
Say you have eth0 and eth1 as your interfaces, and eth0 has an IP address. Any packets destined for eth0 will also be bridged out eth1. You typically don’t notice this as they are also handled by the kernel, but its less than ideal.
Typically you’d run your AF_PACKET IPS on 2 interfaces without an IP address, and a 3rd interface for management.