Suricata Configuration for IPS and IDS Mode

What is the best way to configure Suricata for both IDS and IPS on different set of network ports?
af-packet should work for both modes correct? A single port off a span switch port for IDS mode and inline set of ports in IPS mode. Same instance of Suricata?

Hi Leonard, you’ll have to use two instances for this: one as IDS, one as IPS.

So suricata -c /etc/suricata/suricata1.yaml -i eth0 and suricata -c /etc/suricata2.yaml --af-packet for example on the same appliance that has multiple physical ports.

So the af-packet section of yaml can’t handle ips for a pair of ports and a different single port in just ids mode?

Is this because af-packet does bridging and a single port from a span does not need or would even have a bridge?

And it would require two different yaml configurations?

Yeah. Thought using include statements you might be able to create a common yaml with only the af-packet section being specific to the config.

Why could we not use an af-packet configuration in Tap mode to handle a single eth interface connected to a network switch span port?

And use af-packet configuration in IPS mode to handle the pair of eth interfaces?

It can be implemented, but it is not. The problem is that Suricata is either in IPS or IDS mode. If it would be in both, it means we’d need to create that way of operating so that we properly drop where needed. @glongo has done some work in this area, but it’s not merged. The added complexity is a problem, and the use case may be too much of a niche.

Victor, I don’t understand what you mean when it comes to af-packet. For any particular set of inferfaces, the instructions say you can set tap or ips modes. I am running an experiment with af-packet in tap mode on a single interface and I am getting events produced.

Where I can see a potential problem is when the rules are set to drop; which that action won’t really work on a single interface tied to a span port of a network switch. But I am ok with that single interface because I am listening to the traffic only.

Maybe the confusion is in my description of what I want to configure. I only want to be a to do IPS mode on the af-packet interfaces that are paired with each other. On the single interface I just want to listen to the traffic and trigger signatures being seen on that single interface.

All of the interfaces are on a signle multi-interface hardware appliance.

But all traffic, no matter which interface is collecting it, to go to eve.json file.

If I use two different instances of suricata running on the appliance, will the instances conflict with each other writing to a single eve.json file?

Maybe this might clarify my question more. When I say IPS mode I mean within af-packet settings. The instructions state either use IPS mode or Tap mode setting on interfaces within af-packet configuration. So I don’t mean IDS or IPS mode per se.

I have found that the two pairs of interfaces work fine in af-packet set to ips mode in suricata.yaml. The single interface getting span port traffic from the network switch works fine too set to tap mode in af-packet within the same suricata.yaml file. I am getting all events.

The only thing not working is a custom geoip signature file placed in the rules directory and configured in suricata.yaml. Get no hits on any of the interfaces. It was working correctly in Suricata version 4.x. Running 3.0.2 now.

Part of the confusion might be IPS vs inline. For af-packet inline modes (tap or ips) a pair of interfaces it required. In either case the engine runs in inline mode. This leads to some different behavior wrt stream engine and a few other places compared to a passive IDS mode.

Ok. But if the connection to the single interface is just a stream of packets from a network span port, does it really make a difference if either ips or tap mode is utilized. There is no pass through back to the network. I just want to know if there is something happening that is malicious on the network. The SIEM can compare that traffic stream to the other eth ports that are configured in af-packet mode.

So if I use another instance of Suricata that is just in passive IDS mode for the span traffic, what happens if the signature action is set to drop? I won’t be running two sets of signatures. But I would want to know if it would have dropped the traffic. So does it really matter what the signatures say for action since Suricata will just be listening?