Suricata Cannot Drop Packet in Af-packet mode inline IPS - Need Help!

Help
,
1

Hi friends, I want to ask, I want my suricata to run in inline IPS mode with af-packet, but how come it says in the fast.log it has been dropped but the packet still passes.
Here I will give you a glimpse of the evidence and my configuration. please help me, I am using suricata 7.0.8

fast.log

02/07/2025-23:32:25.142847  [Drop] [**] [1:1000002:1] Blocking ICMP Echo Request [**] [Classification: (null)] [Priority: 3] {ICMP} 172.20.10.2:8 -> 172.20.10.9:0
02/07/2025-23:33:36.803878  [Drop] [**] [1:1000002:1] Blocking ICMP Echo Request [**] [Classification: (null)] [Priority: 3] {ICMP} 172.20.10.2:8 -> 172.20.10.9:0
02/07/2025-23:33:37.805198  [Drop] [**] [1:1000002:1] Blocking ICMP Echo Request [**] [Classification: (null)] [Priority: 3] {ICMP} 172.20.10.2:8 -> 172.20.10.9:0
02/07/2025-23:33:38.806715  [Drop] [**] [1:1000002:1] Blocking ICMP Echo Request [**] [Classification: (null)] [Priority: 3] {ICMP} 172.20.10.2:8 -> 172.20.10.9:0

systemctl status suricata

root@ubuntu:/home/sidik# sudo systemctl status suricata
● suricata.service - LSB: Next Generation IDS/IPS
     Loaded: loaded (/etc/init.d/suricata; generated)
     Active: active (running) since Sat 2025-02-08 02:08:16 UTC; 1s ago
       Docs: man:systemd-sysv-generator(8)
    Process: 25736 ExecStart=/etc/init.d/suricata start (code=exited, status=0/SUCCESS)
      Tasks: 8 (limit: 4615)
     Memory: 48.6M (peak: 48.6M)
        CPU: 181ms
     CGroup: /system.slice/suricata.service
             └─25743 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -vvv

Feb 08 02:08:16 ubuntu systemd[1]: Starting suricata.service - LSB: Next Generation IDS/IPS...
Feb 08 02:08:16 ubuntu suricata[25736]: Starting suricata in IPS (af-packet) mode... done.
Feb 08 02:08:16 ubuntu systemd[1]: Started suricata.service - LSB: Next Generation IDS/IPS.

suricata.yaml

af-packet:
  - interface: enp0s3
    threads: 1
    defrag: yes
    cluster-type: cluster_flow
    cluster-id: 98
    copy-mode: ips
    copy-iface: enp0s8
    buffer-size: 64535
    use-mmap: yes
    mode: inline
    tpacket-v3: yes 

  - interface: enp0s8
    threads: 1
    cluster-id: 97
    defrag: no
    cluster-type: cluster_flow
    copy-mode: ips
    copy-iface: enp0s3
    buffer-size: 64535
    use-mmap: yes
    mode: inline
    tpacket-v3: yes 

stream:
  memcap: 64mb
  #memcap-policy: ignore
  checksum-validation: yes      # reject incorrect csums
  #midstream: false
  #midstream-policy: ignore
  inline: yes                  # auto will use inline mode in IPS mode, yes or no set it s>
  reassembly:
    # experimental TCP urgent handling logic
    #urgent:
    #  policy: inline           # drop, inline, oob (1 byte, see RFC 6093, 3.1), gap
    #  oob-limit-policy: drop
    memcap: 256mb
    #memcap-policy: ignore
    depth: 1mb                  # reassemble 1mb into a stream
    toserver-chunk-size: 2560
    toclient-chunk-size: 2560
    randomize-chunk-size: yes
    #randomize-chunk-range: 10
    #raw: yes
    #segment-prealloc: 2048
    #check-overlap-different-data: true

IP Address

sidik@ubuntu:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:af:ed:1e brd ff:ff:ff:ff:ff:ff
    inet 172.20.10.9/28 brd 172.20.10.15 scope global dynamic noprefixroute enp0s3
       valid_lft 3489sec preferred_lft 3489sec
    inet6 fe80::a00:27ff:feaf:ed1e/64 scope link 
       valid_lft forever preferred_lft forever
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:e3:04:00 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global noprefixroute enp0s8
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fee3:400/64 scope link 
       valid_lft forever preferred_lft forever
sidik@ubuntu:~$

-----------------------------------------------------------------------------------
Date: 2/7/2025 -- 14:37:19 (uptime: 0d, 00h 00m 08s)
------------------------------------------------------------------------------------
Counter                                       | TM Name                   | Value
------------------------------------------------------------------------------------
ips.accepted                                  | Total                     | 3
ips.blocked                                   | Total                     | 141
ips.drop_reason.flow_drop                     | Total                     | 137
ips.drop_reason.stream_midstream              | Total                     | 4
capture.kernel_packets                        | Total                     | 144
capture.afpacket.polls                        | Total                     | 118
capture.afpacket.poll_timeout                 | Total                     | 96
capture.afpacket.poll_data                    | Total                     | 22
decoder.pkts                                  | Total                     | 144
decoder.bytes                                 | Total                     | 175261
decoder.ipv4                                  | Total                     | 144
decoder.ethernet                              | Total                     | 144
decoder.tcp                                   | Total                     | 141
decoder.udp                                   | Total                     | 3
decoder.avg_pkt_size                          | Total                     | 1217
decoder.max_pkt_size                          | Total                     | 1454
flow.total                                    | Total                     | 6
flow.active                                   | Total                     | 6
flow.tcp                                      | Total                     | 4
flow.udp                                      | Total                     | 2
flow.wrk.spare_sync_avg                       | Total                     | 100
flow.wrk.spare_sync                           | Total                     | 1
app_layer.flow.dns_udp                        | Total                     | 2
app_layer.tx.dns_udp                          | Total                     | 3
flow.mgr.rows_per_sec                         | Total                     | 6553
flow.spare                                    | Total                     | 9900
flow.mgr.rows_maxlen                          | Total                     | 1
flow.mgr.flows_checked                        | Total                     | 2
flow.mgr.flows_notimeout                      | Total                     | 2
memcap_pressure                               | Total                     | 5
memcap_pressure_max                           | Total                     | 5
tcp.memuse                                    | Total                     | 1245184
tcp.reassembly_memuse                         | Total                     | 229376
flow.memuse                                   | Total                     | 7154304
------------------------------------------------------------------------------------
Date: 2/7/2025 -- 14:37:27 (uptime: 0d, 00h 00m 16s)
------------------------------------------------------------------------------------
Counter                                       | TM Name                   | Value
------------------------------------------------------------------------------------
ips.accepted                                  | Total                     | 795
ips.blocked                                   | Total                     | 840
ips.drop_reason.flow_drop                     | Total                     | 820
ips.drop_reason.applayer_error                | Total                     | 8
ips.drop_reason.stream_midstream              | Total                     | 12
capture.kernel_packets                        | Total                     | 1635
capture.afpacket.polls                        | Total                     | 783
capture.afpacket.poll_timeout                 | Total                     | 215
capture.afpacket.poll_data                    | Total                     | 568
decoder.pkts                                  | Total                     | 1635
decoder.bytes                                 | Total                     | 1047192
decoder.ipv4                                  | Total                     | 1635
decoder.ethernet                              | Total                     | 1635
decoder.tcp                                   | Total                     | 1275
tcp.syn                                       | Total                     | 40
tcp.synack                                    | Total                     | 40
tcp.rst                                       | Total                     | 10
decoder.udp                                   | Total                     | 360
decoder.avg_pkt_size                          | Total                     | 640
decoder.max_pkt_size                          | Total                     | 1454
tcp.active_sessions                           | Total                     | 40
flow.total                                    | Total                     | 64
flow.active                                   | Total                     | 64
flow.tcp                                      | Total                     | 52
flow.udp                                      | Total                     | 12
flow.wrk.spare_sync_avg                       | Total                     | 100
flow.wrk.spare_sync                           | Total                     | 1
tcp.sessions                                  | Total                     | 40
tcp.ssn_from_pool                             | Total                     | 40
tcp.segment_from_cache                        | Total                     | 322
tcp.segment_from_pool                         | Total                     | 39
app_layer.flow.tls                            | Total                     | 8
app_layer.flow.dns_tcp                        | Total                     | 18
app_layer.tx.dns_tcp                          | Total                     | 54
app_layer.flow.quic                           | Total                     | 8
app_layer.tx.quic                             | Total                     | 18
app_layer.error.quic.parser                   | Total                     | 8
app_layer.flow.dns_udp                        | Total                     | 4
app_layer.tx.dns_udp                          | Total                     | 10
flow.mgr.full_hash_pass                       | Total                     | 1
flow.mgr.rows_per_sec                         | Total                     | 6553
flow.spare                                    | Total                     | 9900
flow.mgr.rows_maxlen                          | Total                     | 1
flow.mgr.flows_checked                        | Total                     | 33
flow.mgr.flows_notimeout                      | Total                     | 33
memcap_pressure                               | Total                     | 5
memcap_pressure_max                           | Total                     | 5
tcp.memuse                                    | Total                     | 1245184
tcp.reassembly_memuse                         | Total                     | 405504
flow.memuse                                   | Total                     | 7154304
------------------------------------------------------------------------------------
Date: 2/7/2025 -- 14:37:35 (uptime: 0d, 00h 00m 24s)
------------------------------------------------------------------------------------
2

From your ip a output it looks like both of your network interfaces have IP addresses on different networks. Is this machine also acting as a router/firewall/nat device? If so, use NFQ IPS. As it looks like these packets may be routed through, rather than bridged by Suricata in which case AF_PACKET IPS cannot help you.

A quick self-test for this is to remove the IP addresses from these interfaces, does your network still work? If so, AF_PACKET IPS might be for you. If it breaks your network, you probably need NFQ IPS.

When doing AF_PACKET IPS it is not recommended to have IP addresses on the network interfaces that make up the pair of interfaces for the AF_PACKET bridge.

3

Thankyou Sir,
Can you help me in making a configuration or interface so that I can use Suricata with IPS af-packet mode, because I’m really confused. My plan is to do testing on my Windows computer and create a VM in VMware, maybe it can help me with topology and configuration.
Thank you very much sir.

4

I’m not really sure how you would use a Linux machine in a VM on Windows, to provide IPS functionality for that Windows machine. Its probably not impossible, but may require some research and trial and error.

I do have one piece of advice and that is to remove Suricata, then add it back when the network is working as you want it.

  • For NFQ IPS this means not setting up your -j NFQUEUE statements until your packets are flowing through your IPS machine as desired on your network.
  • For AF_PACKET IPS, this means using the standard Linux bridge. When your your networking is working as you want, stop the Linux bridge, and bring up Suricata in AF_PACKET IPS mode, as it will replace that bridge.

If it doesn’t work without Suricata, its unlikely to work with Suricata.

And when it comes to virtual machines, make sure you disable offloading on the network interfaces of the physical host, as well as the virtual hosts.

Generally virtual machines make this more complicated.