I need to be able to run Suricata in IPS mode to be able to block attack traffic flowing between the Public Internet, DMZ and Internal networks while still having traffic pass through packet filter or iptables.
You list iptables, so this is a linux system? In that case I would rather go for af_packet.
The Stream rules are related to either configuration issues (pkt seen on wrong thread) or missed traffic but shouldn’t be used to block traffic.
But the biggest issue I see is that I don’t think Suricata can know if the traffic received on ens1f0 needs to be copied to ens1f1 (DMZ) or rather to ens1f2 (Internal) this is a routing decision.
Thank you for you reply. It is a linux system. I was looking at Netmap with the OS end point to be able to forward the traffic received from the network card to Suricata and then to the OS once the traffic was scanned, at which point the routing table of the OS would kick in. Because I am running Suricata in IPS mode, attacks should never be forwarded to the OS. Or am I totally misunderstanding Netmap?
I have an Intel X710 installed in the server. I have 8 channels enabled on the card. The interface is named ens1f2. I notice that when I specify the OS endpoint with ens1f2^, that I end up with 8 threads on ens1f2, and 1 thread on ens1f2^. Is there anyway to enable 8 threads on ens1f2 and 8 threads on ens1f2^? Or is this because ens1f2 is strictly speaking not an netmap endpoint?
I have been wondering whether Netmap is just not the right fit for linux. I will look into AF_PACKET as well.
