Hi Team,
I have a query on whether suricata support IPS mode with PF_RING ?
I tried running suricata with pf_ring and i am able to see drop messages in my fast.log.
08/04/2020-17:53:05.148921 [wDrop] [] [1:1:1] Alarm detected [] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.12.x:50866 -> 172.16.x.x:8000
08/04/2020-17:53:05.196636 [wDrop] [] [1:1:1] Alarm detected [] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.12.x:50868 -> 172.16.x.x:8000
But my traffic is still running. Below is my configuration in suricata.yaml:
suricata --dump-config | grep pfring
pfring = (null)
pfring.0 = interface
pfring.0.interface = eth0
pfring.0.threads = 2
pfring.0.cluster-id = 99
pfring.0.cluster-type = cluster_flow
pfring.1 = interface
pfring.1.interface = eth1
pfring.1.threads = 2
pfring.1.cluster-id = 93
pfring.1.cluster-type = cluster_flow
pfring.2 = interface
pfring.2.interface = default
pfring.2.threads = 2
Please suggest how this can be achieved.