Suricata combined netmap on multiple interfaces

Hello all,

I am looking for some advice on deploying Suricata on a firewall as below:

I need to be able to run Suricata in IPS mode to be able to block attack traffic flowing between the Public Internet, DMZ and Internal networks while still having traffic pass through packet filter or iptables.

I have the following configuration for netmap:

netmap:
- interface: default
threads: auto
copy-mode: ips
- interface: ens1f0
copy-iface: ens1f0^
- interface: ens1f0^
copy-iface: ens1f0
- interface: ens1f1
copy-iface: ens1f1^
- interface: ens1f1^
copy-iface: ens1f1
- interface: ens1f2
copy-iface: ens1f2^
- interface: ens1f2^
copy-iface: ens1f2

This causes the following messages to be logged in fast.log:

  • SURICATA STREAM pkt seen on wrong thread
  • SURICATA STREAM 3way handshake with ack in wrong dir

When I change the config to:

netmap:
- interface: default
threads: auto
copy-mode: ips
- interface: ens1f0
copy-iface: ens1f0^
- interface: ens1f0^
copy-iface: ens1f0

Everything works but I then missing traffic from the DMZ to Internal, and from Internal to the DMZ.

What is the correct way to do this? Should I be running an instance of Suricata per interface? Is NETMAP a bad match for this type of deployment?

Thank you.

You list iptables, so this is a linux system? In that case I would rather go for af_packet.

The Stream rules are related to either configuration issues (pkt seen on wrong thread) or missed traffic but shouldn’t be used to block traffic.

But the biggest issue I see is that I don’t think Suricata can know if the traffic received on ens1f0 needs to be copied to ens1f1 (DMZ) or rather to ens1f2 (Internal) this is a routing decision.

Andreas,

Thank you for you reply. It is a linux system. I was looking at Netmap with the OS end point to be able to forward the traffic received from the network card to Suricata and then to the OS once the traffic was scanned, at which point the routing table of the OS would kick in. Because I am running Suricata in IPS mode, attacks should never be forwarded to the OS. Or am I totally misunderstanding Netmap?

I have an Intel X710 installed in the server. I have 8 channels enabled on the card. The interface is named ens1f2. I notice that when I specify the OS endpoint with ens1f2^, that I end up with 8 threads on ens1f2, and 1 thread on ens1f2^. Is there anyway to enable 8 threads on ens1f2 and 8 threads on ens1f2^? Or is this because ens1f2 is strictly speaking not an netmap endpoint?

I have been wondering whether Netmap is just not the right fit for linux. I will look into AF_PACKET as well.

If you plan to use iptables, I think the proper way would be to use NFQUEUE.