Suricata-IDS does not work in AF_PACKET IPS mode

Hello,
I want to run Suricata-IDS in AF_PACKET IPS mode. My Suricata-IDS server has the following NICs:

# ifconfig
CLIENT: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::a00:27ff:fee5:267c  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:e5:26:7c  txqueuelen 1000  (Ethernet)
        RX packets 501  bytes 57124 (55.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 125  bytes 27865 (27.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

NAT: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.2.15  netmask 255.255.255.0  broadcast 10.0.2.255
        inet6 fe80::a00:27ff:fe7b:8f51  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:7b:8f:51  txqueuelen 1000  (Ethernet)
        RX packets 13434  bytes 2219918 (2.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 11024  bytes 9068946 (8.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

SERVER: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::a00:27ff:febc:c5a7  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:bc:c5:a7  txqueuelen 1000  (Ethernet)
        RX packets 197  bytes 28169 (27.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 223  bytes 38091 (37.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

The Suricata-IDS server is located between a client and server as follows:

Client ---> Suricata-IDS ---> Server

The client IP address is 192.168.1.1/24 and the server IP address is 192.168.1.2/24. I edited the /etc/suricata/suricata.yaml file and changed the af-packet part as below:

af-packet:
  - interface: CLIENT
    threads: 1
    defrag: no
    cluster-type: cluster_flow
    cluster-id: 98
    copy-mode: ips
    copy-iface: SERVER
    buffer-size: 64535
    use-mmap: yes
  - interface: SERVER
    threads: 1
    cluster-id: 97
    defrag: no
    cluster-type: cluster_flow
    copy-mode: ips
    copy-iface: CLIENT
    buffer-size: 64535
    use-mmap: yes

After it, I ran Suricata-IDS:

# suricata --af-packet
i: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode
i: threads: Threads created -> W: 2 FM: 1 FR: 1   Engine started.

But, client and server can’t ping each other:

C:\> ping 192.168.1.2

Pinging 192.168.1.2 with 32 bytes of data:
Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.

Ping statistics for 192.168.1.2:
    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),

C:\>

Suricata-IDS reports are as follows:

# cat /var/log/suricata/suricata.log 
[1520 - Suricata-Main] 2023-10-04 03:23:09 Notice: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: cpu: CPUs/cores online: 2
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: af-packet: Setting IPS mode
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: exception-policy: master exception-policy set to: auto
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: ioctl: CLIENT: MTU 1500
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: ioctl: SERVER: MTU 1500
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: conf: Running in live mode, activating unix socket
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: logopenfile: fast output device (regular) initialized: fast.log
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: logopenfile: eve-log output device (regular) initialized: eve.json
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: logopenfile: stats output device (regular) initialized: stats.log
[1520 - Suricata-Main] 2023-10-04 03:23:10 Info: detect: 1 rule files processed. 35168 rules successfully loaded, 0 rules failed
[1520 - Suricata-Main] 2023-10-04 03:23:10 Info: threshold-config: Threshold config parsed: 0 rule(s) found
[1520 - Suricata-Main] 2023-10-04 03:23:10 Info: detect: 35171 signatures processed. 1248 are IP-only rules, 5282 are inspecting packet payload, 28429 inspect application layer, 108 are decoder event only
[1520 - Suricata-Main] 2023-10-04 03:23:14 Info: af-packet: CLIENT: AF_PACKET IPS mode activated CLIENT->SERVER
[1520 - Suricata-Main] 2023-10-04 03:23:14 Info: runmodes: CLIENT: creating 1 thread
[1520 - Suricata-Main] 2023-10-04 03:23:14 Info: af-packet: SERVER: AF_PACKET IPS mode activated SERVER->CLIENT
[1520 - Suricata-Main] 2023-10-04 03:23:14 Info: runmodes: SERVER: creating 1 thread
[1522 - W#01-SERVER] 2023-10-04 03:23:14 Info: ioctl: SERVER: MTU 1500
[1522 - W#01-SERVER] 2023-10-04 03:23:14 Info: ioctl: CLIENT: MTU 1500
[1520 - Suricata-Main] 2023-10-04 03:23:14 Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket'
[1520 - Suricata-Main] 2023-10-04 03:23:14 Notice: threads: Threads created -> W: 2 FM: 1 FR: 1   Engine started.
[1520 - Suricata-Main] 2023-10-04 03:24:53 Notice: suricata: Signal Received.  Stopping engine.
[1520 - Suricata-Main] 2023-10-04 03:24:54 Info: suricata: time elapsed 99.884s
[1520 - Suricata-Main] 2023-10-04 03:24:55 Info: counters: Alerts: 0
[1520 - Suricata-Main] 2023-10-04 03:24:55 Notice: device: CLIENT: packets: 1, drops: 0 (0.00%), invalid chksum: 0
[1520 - Suricata-Main] 2023-10-04 03:24:55 Notice: device: SERVER: packets: 12, drops: 0 (0.00%), invalid chksum: 0

And:

# cat /var/log/suricata/fast.log 
#

Where is the configuration file wrong?

Thank you.

Your NAT interface IP is 10.0.2.15 but not 192.168.1.x. I think it is the problem.

Actually this config looks like, using an AF_PACKET IPS between the 2 interfaces without an IP address should eliminate the NAT interface as part of the equation here.

Run tcpdump on the CLIENT interface to make sure you’re pings are actually arriving on the IPS machine.

From the error though, Destination host unreachable. it appears the network is not finding the MAC address of server. I’d also start with no rules (an empty rule file).

1 Like

The following is my setup :

Modem — Router — Suricata — Switch ---- Wifi AP, PCs, Laptops

an extra interface is connection from Suricata to Switch for management purpose.

Hello,
Thank you so much for your problem.
I use a NAT NIC to connect to Suricata-IDS. Why is this problematic?

Hello,
Thank you so much for your reply.
1- So, if I remove the NAT type NIC, then the problem should go away?

2- How to start the Suricata-IDS without rule?

3- Is there an option for Suricata-IDS to ignore NAT type NIC?

Setting up Suricata as IPS with AF_PACKET mode, you need to have 3 network interfaces. The Suricata can be placed in front of router or behind a router.

Case one - Suricata in front of router

One of the network interface is connecting modem (or internet) and Suricata which has NO IP address. One of the network interface is connecting Suricata and router (router’s WAN port) which has NO IP address too. The last one network interface is connecting Suricata and router (router’s LAN port or switch) with IP address which is using for management purpose, such as rules updates and/or system updates and etc. If your router has WIFI function, you can use this router’s WIFI feature for surfing internet.

However, you have 2 problems for this setting. One is that you cannot see the intranet subnet in the logs and the other one is that some of the ET Open rules do not work properly as they are most using $HOME_NET while $HOME_NET stands for [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12] but not your real IP (external IP). Or, you add your external IP to the $HOME_NET group in order to tell Suricata to match your external IP too. Another way is to rewrite or write your own rules for this setting, IPS mode may work properly.

Case two - Suricata behind router

One of the network interface is connecting router and Suricata which has NO IP address. One of the network interface is connecting Suricata and switch (intranet, switch’s port 1) which has NO IP address too. The last one network interface is connecting Suricata and switch with IP address which is using for management purpose, such as rules updates and/or system updates and etc. If your router has WIFI function, you CANNOT use this WIFI feature for surfing the internet as it is NOT protecting by Suricata. You are required another WIFI AP to connect to switch in order to provide WIFI.

You are required to change the keyword “alert” to “drop” in all rules in order to block the traffic for both cases. You are also required to disable some rules (including ET Open rules) as they may produce false positive and blocked your legal traffic such as Windows updates. The fast.log will show you the result of “Drop” when the rule is triggered. Make sure it is not “wDrop” as it is not blocked by the rules.

Finally, you are also required to handle the “kernel drop” problem by tuning the suricata.yaml configure file. You can tune the Suricata to have zero kernal drop and make sure you have enough memory.

I run the captioned two cases in different environment for several years. Suricata as IPS with AF_PACKET mode is great.

1 Like

Hello,
Thanks again.
My setup is something like below:

Clients ---> Suricata-IDS ---> Server

I want to block the attacks from the clients to server.
Sorry, I don’t understand where the problem is in the Suricata-IDS configuration? Should I just add the IP address 10.0.2.15 to the $HOME_NET group?
I don’t know exactly what to do. Please guide me.

Please refer to my last post here.

You may consider to install Suricata and run with NFQEUE and IPTables on your server. This will make your setup simple.

Hello,
Thanks again.
If you see my network setting, then you will notice that the NICs do not have an IP address except for the one that is of NAT type.
I will remove the NAT type NIC and try again and report the result.

I did it too, please see this. As you can see, Nmap was able to easily identify the target. Is my configuration wrong?

As far as I know, ET Open and Suricata rules are not blocking or alerting any Nmap port scanning.

Hello,
Thanks again.
In the AF_PACKET IPS mode, should IP forwarding be enabled?

I don’t believe it needs to be, but doesn’t hurt to have it enabled. It might need to be enabled if you want to fall back to normal Linux bridging, so I’d leave it enabled. Since your intention is to pass packets through, it won’t hurt having it enabled.

1 Like

Hello,
I enable the IP forwarding and removed the NAT type NIC:

# ifconfig
CLIENT: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::a00:27ff:fee5:267c  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:e5:26:7c  txqueuelen 1000  (Ethernet)
        RX packets 13  bytes 970 (970.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 17  bytes 2918 (2.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

SERVER: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::a00:27ff:febc:c5a7  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:bc:c5:a7  txqueuelen 1000  (Ethernet)
        RX packets 1  bytes 243 (243.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 17  bytes 2918 (2.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Then ran Suricata-IDS:

# suricata --af-packet -D

The client and server can still see each other:


C:\> ping 192.168.1.2

Pinging 192.168.1.2 with 32 bytes of data:
Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.

Ping statistics for 192.168.1.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

C:\>

I ran tcpdump on the Suricata-IDS server and the result is as follows:

# tcpdump -i CLIENT -vvv
02:04:00.968531 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.1.1, length 46
02:04:01.661038 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.1.1, length 46
02:04:02.661361 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.1.1, length 46
02:04:03.665071 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.1.1, length 46
02:04:04.661536 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.1.1, length 46
02:04:05.661223 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.1.1, length 46
02:04:06.665725 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.1.1, length 46
02:04:07.661242 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.1.1, length 46
02:04:08.660741 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.1.1, length 46
02:04:09.664502 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.1.1, length 46
02:04:10.661237 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.1.1, length 46
02:04:11.660867 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.1.1, length 46

Suricata-IDS reports are as follows:

[730 - Suricata-Main] 2023-10-07 01:43:59 Notice: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode
[673 - Suricata-Main] 2023-10-07 02:01:31 Info: cpu: CPUs/cores online: 2
[673 - Suricata-Main] 2023-10-07 02:01:31 Info: af-packet: Setting IPS mode
[673 - Suricata-Main] 2023-10-07 02:01:31 Info: exception-policy: master exception-policy set to: auto
[673 - Suricata-Main] 2023-10-07 02:01:31 Info: ioctl: CLIENT: MTU 1500
[673 - Suricata-Main] 2023-10-07 02:01:31 Info: ioctl: SERVER: MTU 1500
[674 - Suricata-Main] 2023-10-07 02:01:31 Info: conf: Running in live mode, activating unix socket
[674 - Suricata-Main] 2023-10-07 02:01:31 Info: logopenfile: fast output device (regular) initialized: fast.log
[674 - Suricata-Main] 2023-10-07 02:01:31 Info: logopenfile: eve-log output device (regular) initialized: eve.json
[674 - Suricata-Main] 2023-10-07 02:01:31 Info: logopenfile: stats output device (regular) initialized: stats.log
[674 - Suricata-Main] 2023-10-07 02:01:33 Info: detect: 1 rule files processed. 35168 rules successfully loaded, 0 rules failed
[674 - Suricata-Main] 2023-10-07 02:01:34 Info: threshold-config: Threshold config parsed: 0 rule(s) found
[674 - Suricata-Main] 2023-10-07 02:01:34 Info: detect: 35171 signatures processed. 1248 are IP-only rules, 5282 are inspecting packet payload, 28429 inspect application layer, 108 are decoder event only
[674 - Suricata-Main] 2023-10-07 02:01:37 Info: af-packet: CLIENT: AF_PACKET IPS mode activated CLIENT->SERVER
[674 - Suricata-Main] 2023-10-07 02:01:37 Info: runmodes: CLIENT: creating 1 thread
[674 - Suricata-Main] 2023-10-07 02:01:37 Info: af-packet: SERVER: AF_PACKET IPS mode activated SERVER->CLIENT
[674 - Suricata-Main] 2023-10-07 02:01:37 Info: runmodes: SERVER: creating 1 thread
[676 - W#01-SERVER] 2023-10-07 02:01:37 Info: ioctl: SERVER: MTU 1500
[676 - W#01-SERVER] 2023-10-07 02:01:37 Info: ioctl: CLIENT: MTU 1500
[674 - Suricata-Main] 2023-10-07 02:01:37 Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket'
[674 - Suricata-Main] 2023-10-07 02:01:37 Info: unix-manager: created socket directory /var/run/suricata/
[674 - Suricata-Main] 2023-10-07 02:01:37 Notice: threads: Threads created -> W: 2 FM: 1 FR: 1   Engine started.
[675 - W#01-CLIENT] 2023-10-07 02:11:07 Warning: af-packet: CLIENT: failed to poll interface: Network is down
[676 - W#01-SERVER] 2023-10-07 02:11:07 Warning: af-packet: SERVER: failed to poll interface: Network is down
[675 - W#01-CLIENT] 2023-10-07 02:11:16 Info: af-packet: CLIENT: interface is back up
[676 - W#01-SERVER] 2023-10-07 02:11:16 Info: af-packet: SERVER: interface is back up

And:

# cat /var/log/suricata/fast.log 
#

What is really wrong?

Hello,
What is wrong with this report?

# cat /var/log/suricata/suricata.log 
[548 - Suricata-Main] 2023-10-10 02:27:29 Notice: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode
[548 - Suricata-Main] 2023-10-10 02:27:29 Info: cpu: CPUs/cores online: 2
[548 - Suricata-Main] 2023-10-10 02:27:29 Info: af-packet: Setting IPS mode
[548 - Suricata-Main] 2023-10-10 02:27:29 Info: exception-policy: master exception-policy set to: auto
[548 - Suricata-Main] 2023-10-10 02:27:29 Info: ioctl: CLIENT: MTU 1500
[548 - Suricata-Main] 2023-10-10 02:27:29 Info: ioctl: SERVER: MTU 1500
[548 - Suricata-Main] 2023-10-10 02:27:29 Info: conf: Running in live mode, activating unix socket
[548 - Suricata-Main] 2023-10-10 02:27:29 Info: logopenfile: fast output device (regular) initialized: fast.log
[548 - Suricata-Main] 2023-10-10 02:27:29 Info: logopenfile: eve-log output device (regular) initialized: eve.json
[548 - Suricata-Main] 2023-10-10 02:27:29 Info: logopenfile: stats output device (regular) initialized: stats.log
[548 - Suricata-Main] 2023-10-10 02:27:31 Info: detect: 1 rule files processed. 41733 rules successfully loaded, 0 rules failed
[548 - Suricata-Main] 2023-10-10 02:27:31 Info: threshold-config: Threshold config parsed: 0 rule(s) found
[548 - Suricata-Main] 2023-10-10 02:27:31 Info: detect: 41736 signatures processed. 1497 are IP-only rules, 5391 are inspecting packet payload, 34641 inspect application layer, 108 are decoder event only
[548 - Suricata-Main] 2023-10-10 02:27:37 Info: af-packet: CLIENT: AF_PACKET IPS mode activated CLIENT->SERVER
[548 - Suricata-Main] 2023-10-10 02:27:37 Info: runmodes: CLIENT: creating 1 thread
[548 - Suricata-Main] 2023-10-10 02:27:37 Info: af-packet: SERVER: AF_PACKET IPS mode activated SERVER->CLIENT
[548 - Suricata-Main] 2023-10-10 02:27:37 Info: runmodes: SERVER: creating 1 thread
[550 - W#01-SERVER] 2023-10-10 02:27:37 Info: ioctl: SERVER: MTU 1500
[550 - W#01-SERVER] 2023-10-10 02:27:37 Info: ioctl: CLIENT: MTU 1500
[548 - Suricata-Main] 2023-10-10 02:27:37 Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket'
[548 - Suricata-Main] 2023-10-10 02:27:38 Notice: threads: Threads created -> W: 2 FM: 1 FR: 1   Engine started.
[548 - Suricata-Main] 2023-10-10 02:28:28 Notice: suricata: Signal Received.  Stopping engine.
[548 - Suricata-Main] 2023-10-10 02:28:28 Info: suricata: time elapsed 51.069s
[548 - Suricata-Main] 2023-10-10 02:28:29 Info: counters: Alerts: 0
[548 - Suricata-Main] 2023-10-10 02:28:30 Notice: device: CLIENT: packets: 3, drops: 0 (0.00%), invalid chksum: 0
[548 - Suricata-Main] 2023-10-10 02:28:30 Notice: device: SERVER: packets: 3, drops: 0 (0.00%), invalid chksum: 0

Thank you.

Hello,
I ran Wireshark on the server and pinged the server on the client and the output is as follows:

Does this mean the client is seeing the server?

Hello,
No idea?

Thank you.

Check the suricata eve json logfiles if you see the actual requests coming in into one of the interfaces that you configured for AF_PACKET IPS. Also check the stats log if the packet counter is increasing and you see actual traffic passing by