Suricata IPS mode on bridged interface


I have a Ubuntu 22.04 VM server where my VMs are all running on a bridged interface (br0).

Clients are all on the physical network.

I would like to set it up in IPS mode with Suricata running on the VM host.

Will that work?


How do you plan to forward the traffic from the clients?
If you achieve that it should be possible, you need to make sure that the traffic is forward to this VM and that this VM further forwards the traffic to the uplink and vice versa.

Right now all of the clients connect to the VMs over the bridge interface. There isn’t a VM sitting in between the client and server like a typical router. There is a bridge netfilter module that people use to do transparent firewalls. The trick is figuring out how to get inline. Routers are easy. I have never done any firewalls on a bridge before.

While likely technically possible, this turns out to be quite difficult, or at least I haven’t had much success.

The Suricata AF_PACKET IPS mode creates a dumb bridge. So with a single VM use case you would remove the Linux bridge, then use Suricata to create the bridge between the 2 interfaces. But virt-manager doesn’t understand this type of setup. However, I was able to coerce it by creating an isolated network and using Suricata to bridge a physical interface to vnet0. While simple pings were able to go through, not much else did. Packets were being corrupted somewhere. This has generally been my experience when virtualizing AF_PACKET IPS.

Now getting back to the dumb bridge. Suricata bridges 2 interface ports together like an old dumb hub. Every packet received on one interface is transmitted out the other (except when a rule tells it drop). So its not a direct replacement for a Linux bridge which you can attach multiple interfaces to, and it learns the MAC addresses. So if you were to apply this simple setup with multiple VMs, each VM is going to receive a copy of all the packets incoming on that external interface, whether or not they are destined for that VM. So even if the above did work, its not recommended.

While I do believe some level of virtual interfaces and switching could solve this problem, it might just be easier drop an IPS box in front of this host.

Thank you Jason. That makes sense. In this configuration then I just need to stay in IDS mode until someone can figure out some special sauce to make it work…