Why does af-packet not support IPS?

jydr · January 14, 2021, 6:09am

I have tested af-packet on two different types of servers. Why can’t af-packe drop packets in IPS mode?But the alert message is displayed in the log.
Is it because my network card does not support af-packet?

My machine configuration：
ubuntu18.04
kernel version: 4.15.0-112-generic
Ethernet controller: Intel Corporation I211 Gigabit Network Connection

af-packet:

interface: enp1s0
threads: 1
defrag: no
cluster-type: cluster_flow
cluster-id: 98
copy-mode: ips
copy-iface: enp2s0
buffer-size: 64535
use-mmap: yes
interface: enp2s0
threads: 1
cluster-id: 97
defrag: no
cluster-type: cluster_flow
copy-mode: ips
copy-iface: enp1s0
buffer-size: 64535
use-mmap: yes

netsecuris1 · January 15, 2021, 12:53am

In order to get the IPS function to work, you need to set the action in signatures to drop from alert.

jydr · January 15, 2021, 1:40am

The reject and drop signatures are invalid.
For example:
reject tcp any any -> any any (msg:“IPS”; content:“google”; sid:10002; rev:1;)
drop tcp any any -> any any (msg:“IPS”; content:“google”; sid:10002; rev:1;)

dexbg · January 20, 2021, 5:04pm

I can just comment that in the /etc/default/suricata config file is written that only the nfqueue mode supports IPS:
# Listen mode: pcap, nfqueue, custom_nfqueue or af-packet
# depending on this value, only one of the two following options
# will be used (af-packet uses neither).
# Please note that IPS mode is only available when using nfqueue
LISTENMODE=af-packet

Topic		Replies	Views
Does AF_Packet now support the IPS mode? Help ips	3	1714	January 11, 2021
Problem configuring af-packet with three interfaces Help ips	3	1414	April 23, 2021
Suricata af-packet ips Help ips	1	661	January 17, 2023
How to configure suricata IPS mode with AF-PACKET? Help ips , community , suricata	1	1601	July 17, 2022
Af_packet IPS mode on centos8 or Rocky8 Help ips , centos	3	1246	December 20, 2021

Why does af-packet not support IPS?

Related Topics