Rules for different network interfaces

Hi suricata devs:

We’re running suricata on our firewall product, we came across with a scenario that, the network traffic flows through multiple network cards into our host, each network card as an independent interface of our linux host.

Now we want to apply different rules set for these different interfaces, i.e. for eth0 and eth1 we want a different rules set for them. Is there any way we can achieve this?

It may looks like running two separate suricata processes solves the requirement, but we want to look for a more friendly way first :stuck_out_tongue:

You can using multi-tenancy support:

https://suricata.readthedocs.io/en/suricata-6.0.3/configuration/multi-tenant.html#device

2 Likes

sorry for the late reply, I have tried this feature but did not manage to run it under IPS mode, I have configured two sets of rules on two interfaces respectively. On one interface the rule is configured to drop all udp packets arrived at port 80, but it doesn’t work, what’s worse, the suricata process got a segment fault(I have founded the crash line lies in the DetectPrefilterBuildNonPrefilterList() function using gdb, I run the suricata-6.0.2) error when I keep sending packets to the interface.

I noticed that there’s a note on 10.4. Multi Tenancy — Suricata 6.0.3 documentation that:

Note: Not currently supported for IPS.

I think the issues I have encountered is related to this statement, may I know why this is not supported for IPS currently? And if I want to make it to support IPS, what should I do?

@cifer, can you share the traceback from the segmentation fault?

yep, here it is:



Is there a fix for this crash as I am also encountering this.

Which version are you running?
Keep in mind Suricata 6.0.5 is already out, so worth to check out if it still occurs with that as well.

Thanks Andreas for the reply. I am using 6.0.4. Will check 6.0.5.