Why af-packet paragraph need two interface?

Help
1

Please include the following information with your help request:

  • Suricata version 8.0.0
  • Operating system and/or Linux distribution ubuntu 23.10 , kernel 6.5
  • How you installed Suricata (from source, packages, something else)
    by repo

hello ,
i’m on vmware with a virtual machine 16.x
why the af-packet paragraph needs two interface like this :


af-packet:
  - interface: ens33
    threads: 8
    defrag: yes 
    cluster-type: cluster_flow
    cluster-id: 98
    copy-mode: ips
    copy-iface: ens37
    buffer-size: 64535
    use-mmap: yes
  - interface: ens37
    threads: 8
    cluster-id: 97  
    defrag: yes
    cluster-type: cluster_flow
    copy-mode: ips
    copy-iface: ens33
    buffer-size: 64535 
    use-mmap: yes

it’s recommended by AI like claude sonnet 3.5 , but i don’t understand why . and the second interface, write liked - interface , and and not commented on in the part :

af-packet:
  - interface: ens33
    threads: 8
    defrag: yes 
    cluster-type: cluster_flow
    cluster-id: 98
    copy-mode: ips
    copy-iface: ens37
    buffer-size: 64535
    use-mmap: yes
  - interface: ens37
    threads: 8
    cluster-id: 97  
    defrag: yes
    cluster-type: cluster_flow
    copy-mode: ips
    copy-iface: ens33
    buffer-size: 64535 
    use-mmap: yes

could you help me ?
Cordially

2

ah yes ! there is a part for incoming traffic and the other for outgoing traffic! as much for me

3

yes, but to be more specific, each entry is for receiving traffic, each node is there in case you want to configure your interfaces differently.

Then copy-iface of the given interface says on what interface the traffic should be transmitted from when it is received.

So the traffic flows in both directions:
→ ens33 → ens37 →
and
← ens33 ← ens37 ←

5

So,
What interface is for entry and what interface in for sending ?
Why do you suggest there are two directions ?
Regards

6

What interface is for entry

both

and what interface in for sending ?

both

Why do you suggest there are two directions ?

Packets are received by one interface and are transmitted by the other interface. That works bidirectionally.

7

Keep in mind that you only need 2 interface for IPS mode. If you just want to monitor traffic from one interface, one is enough.

8

how it is possible ??
if i write this :

af-packet:
  - interface: ens33
    threads: 8
    defrag: yes 
    cluster-type: cluster_flow
    cluster-id: 98
    copy-mode: ips
    buffer-size: 64535
    use-mmap: yes

it will be correct ?
resgards

9

We have no idea what you are trying to achieve but if you change copy-mode to ids so:

af-packet:
  - interface: ens33
    threads: 8
    defrag: yes 
    cluster-type: cluster_flow
    cluster-id: 98
    copy-mode: ids
    buffer-size: 64535
    use-mmap: yes

then yes, it looks like a valid configuration

10

No !!
Julien Victor said ,I could run suricata with One interface !!! Did he lie ??

11

Do you want to run it in IDS or IPS mode?

12

ah yes! I forgot the subtlety!
I want the ips mode !:slight_smile:
Regards

13

In that case you want to use two interfaces, see details described in 15. Setting up IPS/inline for Linux — Suricata 8.0.0-dev documentation unless you want to do it via netfilter nfqueue, see 15. Setting up IPS/inline for Linux — Suricata 8.0.0-dev documentation

1 Like
14

hi ,
i want to install suricata in mode ips on a virtual private server, for a web hosting
but it seems that there is only a network interface.
AI Large language model say me that I can set the intrusion prevention system mode with nfqueue mode, do you agree ?
Cordially
Alexandre
M

16

only with mode nfqueue*

17

Instead of asking some AI you should follow the documentation I previously linked which explains the runmode with NFQUEUE.