Hi Team,
I have a query on whether suricata support IPS mode with PF_RING ?

I tried running suricata with pf_ring and i am able to see drop messages in my fast.log.

08/04/2020-17:53:05.148921 [wDrop] [] [1:1:1] Alarm detected [] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.12.x:50866 -> 172.16.x.x:8000
08/04/2020-17:53:05.196636 [wDrop] [] [1:1:1] Alarm detected [] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.12.x:50868 -> 172.16.x.x:8000

But my traffic is still running. Below is my configuration in suricata.yaml:

suricata --dump-config | grep pfring
pfring = (null)
pfring.0 = interface
pfring.0.interface = eth0
pfring.0.threads = 2
pfring.0.cluster-id = 99
pfring.0.cluster-type = cluster_flow
pfring.1 = interface
pfring.1.interface = eth1
pfring.1.threads = 2
pfring.1.cluster-id = 93
pfring.1.cluster-type = cluster_flow
pfring.2 = interface
pfring.2.interface = default
pfring.2.threads = 2

Please suggest how this can be achieved.

Hi @guptpu, we don’t have IPS support for PF_RING. I would suggest having a look at using AF_PACKET instead.

Hi @vjulien ,
Thanks for the quick response. Will explore AF_PACKET mode.

One more query:
I want to use AF_PACKET mode but i do not want to use this as bridge mode between two physical interfaces[LAN to WAN] as i have other components which need to process the packet between ingress and egress.

is there any way in which i can reinject the packet back to kernel space from suricata as happens with NFQUEUE.?
Please suggest.

I think NFQUEUE is they way to go, I’m not aware of ways to reinject things from the AF_PACKET bridge in a similar way.