Suricata-IDS in AF_PACKET IPS mode and IP ranges

Please consider the figure below.

Client ---> Suricata-IDS ---> Server

I ran Suricata with the following command:

# suricata --af-packet -D

Why should the client and server have the same IP address range? I set the IP address for the client and for the server, but the client and server could not see each other!

Is there anything in the Suricata-IDS config file to fix this?

Thank you.

AF_PACKET IPS forms a bridge, I think we have gone over this ad nauseam… A bridge is like twisting the wires together, not a router.

Using Suricata in AF_PACKET IPS mode is much like connecting the 2 ethernet cables with a coupler like below.


1 Like

Thank you so much for your reply.
So, in what mode can Suricata-IDS do this? Can Suricata-IDS do such a thing?

Not really. Linux iptables/nftables can. Then you augment iptables/nftables with Suricata for IPS support.

1 Like

So, should I use Suricata-IDS in NFQ mode or I can use Suricata-IDS in AF_PACKET IPS mode, but I should use iptables/nftables to connect two different ranges of IP addresses?

Please review all your other threads on this topic. NFQ and AF_PACKET IPS modes are fundamentally different and usually the choice is based on the topology of your network - which we’ve covered in detail already. We can’t decide which you need, this is the level of networking knowledge you have to bring to Suricata.

I’m going to re-suggest my old advice. Place a machine where you want the packets to flow through. Get it working first, either with IPtables or Linux bridge. When you are happy, then bring in Suricata. Don’t complicate the basics with Suricata first.

1 Like