Suricata-IDS in AF_PACKET IPS mode

Jason.nix · 10-04-2023, 02:54 AM

Hello,
I want to run Suricata-IDS in AF_PACKET IPS mode. My Suricata-IDS server has the following NICs:

Code:

# ifconfig
CLIENT: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::a00:27ff:fee5:267c  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:e5:26:7c  txqueuelen 1000  (Ethernet)
        RX packets 501  bytes 57124 (55.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 125  bytes 27865 (27.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

NAT: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.2.15  netmask 255.255.255.0  broadcast 10.0.2.255
        inet6 fe80::a00:27ff:fe7b:8f51  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:7b:8f:51  txqueuelen 1000  (Ethernet)
        RX packets 13434  bytes 2219918 (2.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 11024  bytes 9068946 (8.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

SERVER: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::a00:27ff:febc:c5a7  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:bc:c5:a7  txqueuelen 1000  (Ethernet)
        RX packets 197  bytes 28169 (27.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 223  bytes 38091 (37.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

According to the Suricata-IDS documents, NICs only need to be up and do not need an IP address.
The Suricata-IDS server is located between a client and server as follows:

Code:

Client ---> Suricata-IDS ---> Server

The client IP address is 192.168.1.1/24 and the server IP address is 192.168.1.2/24. I edited the /etc/suricata/suricata.yaml file and changed the af-packet part as below:

Code:

af-packet:
  - interface: CLIENT
    threads: 1
    defrag: no
    cluster-type: cluster_flow
    cluster-id: 98
    copy-mode: ips
    copy-iface: SERVER
    buffer-size: 64535
    use-mmap: yes
  - interface: SERVER
    threads: 1
    cluster-id: 97
    defrag: no
    cluster-type: cluster_flow
    copy-mode: ips
    copy-iface: CLIENT
    buffer-size: 64535
    use-mmap: yes

After it, I ran Suricata-IDS:

Code:

# suricata --af-packet
i: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode
i: threads: Threads created -> W: 2 FM: 1 FR: 1   Engine started.

But, client and server can't ping each other:

Code:

C:\> ping 192.168.1.2

Pinging 192.168.1.2 with 32 bytes of data:
Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.

Ping statistics for 192.168.1.2:
    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),

C:\>

Suricata-IDS reports are as follows:

Code:

# cat /var/log/suricata/suricata.log 
[1520 - Suricata-Main] 2023-10-04 03:23:09 Notice: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: cpu: CPUs/cores online: 2
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: af-packet: Setting IPS mode
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: exception-policy: master exception-policy set to: auto
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: ioctl: CLIENT: MTU 1500
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: ioctl: SERVER: MTU 1500
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: conf: Running in live mode, activating unix socket
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: logopenfile: fast output device (regular) initialized: fast.log
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: logopenfile: eve-log output device (regular) initialized: eve.json
[1520 - Suricata-Main] 2023-10-04 03:23:09 Info: logopenfile: stats output device (regular) initialized: stats.log
[1520 - Suricata-Main] 2023-10-04 03:23:10 Info: detect: 1 rule files processed. 35168 rules successfully loaded, 0 rules failed
[1520 - Suricata-Main] 2023-10-04 03:23:10 Info: threshold-config: Threshold config parsed: 0 rule(s) found
[1520 - Suricata-Main] 2023-10-04 03:23:10 Info: detect: 35171 signatures processed. 1248 are IP-only rules, 5282 are inspecting packet payload, 28429 inspect application layer, 108 are decoder event only
[1520 - Suricata-Main] 2023-10-04 03:23:14 Info: af-packet: CLIENT: AF_PACKET IPS mode activated CLIENT->SERVER
[1520 - Suricata-Main] 2023-10-04 03:23:14 Info: runmodes: CLIENT: creating 1 thread
[1520 - Suricata-Main] 2023-10-04 03:23:14 Info: af-packet: SERVER: AF_PACKET IPS mode activated SERVER->CLIENT
[1520 - Suricata-Main] 2023-10-04 03:23:14 Info: runmodes: SERVER: creating 1 thread
[1522 - W#01-SERVER] 2023-10-04 03:23:14 Info: ioctl: SERVER: MTU 1500
[1522 - W#01-SERVER] 2023-10-04 03:23:14 Info: ioctl: CLIENT: MTU 1500
[1520 - Suricata-Main] 2023-10-04 03:23:14 Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket'
[1520 - Suricata-Main] 2023-10-04 03:23:14 Notice: threads: Threads created -> W: 2 FM: 1 FR: 1   Engine started.
[1520 - Suricata-Main] 2023-10-04 03:24:53 Notice: suricata: Signal Received.  Stopping engine.
[1520 - Suricata-Main] 2023-10-04 03:24:54 Info: suricata: time elapsed 99.884s
[1520 - Suricata-Main] 2023-10-04 03:24:55 Info: counters: Alerts: 0
[1520 - Suricata-Main] 2023-10-04 03:24:55 Notice: device: CLIENT: packets: 1, drops: 0 (0.00%), invalid chksum: 0
[1520 - Suricata-Main] 2023-10-04 03:24:55 Notice: device: SERVER: packets: 12, drops: 0 (0.00%), invalid chksum: 0

And:

Code:

# cat /var/log/suricata/fast.log 
#

Where is the configuration file wrong?

Thank you.

tmick · 10-06-2023, 10:52 AM

notifications@suricata.discoursemail.com try asking this list

Jason.nix · 10-07-2023, 06:19 AM

Quote:

Originally Posted by tmick

notifications@suricata.discoursemail.com try asking this list

Hello,
Thank you so much for your reply.
In your opinion is my setup correct?

tmick · 10-07-2023, 11:55 AM

That I can tell, yes. maybe add the IP of the client machine?

Jason.nix · 10-10-2023, 04:29 AM

Quote:

Originally Posted by tmick

That I can tell, yes. maybe add the IP of the client machine?

Hello,
Thanks again.
Add the IP of the client machine? What do you mean?

tmick · 10-10-2023, 10:41 AM

Quote:

Originally Posted by Jason.nix

Hello,
Thanks again.
Add the IP of the client machine? What do you mean?

That or the second NIC so you'd have eth0 and eth1 or wireless0 & 1 etc. I seem to remember you needing to have 2 NICs configured so it can monitor the traffic between them.So AF Packet in AF Packet out and the client pointing to the server.

Jason.nix · 10-11-2023, 02:05 AM

Quote:

Originally Posted by tmick

That or the second NIC so you'd have eth0 and eth1 or wireless0 & 1 etc. I seem to remember you needing to have 2 NICs configured so it can monitor the traffic between them.So AF Packet in AF Packet out and the client pointing to the server.

Hello,
Thanks again.
My server has two NICs (CLIENT and SERVER). As document said:

Quote:

AF_PACKET capture method is supporting a IPS/Tap mode. In this mode, you just need the interfaces to be up. Suricata will take care of copying the packets from one interface to the other. No iptables or nftables configuration is necessary.

You need to dedicate two network interfaces for this mode. The configuration is made via configuration variable available in the description of an AF_PACKET interface.

As you see, both NICs are up. I think that NICs should not have IP address and Suricata-IDS will give them IP address itself. Am I wrong?

tmick · 10-11-2023, 11:21 AM

It should automatically assign the IP Addresses to the interfaces. I'd suggest the mailing list I gave they've forgot more than I know about this.

Jason.nix · 10-14-2023, 04:32 AM

Quote:

Originally Posted by tmick

It should automatically assign the IP Addresses to the interfaces. I'd suggest the mailing list I gave they've forgot more than I know about this.

Hello,
Thanks again.
No, Suricata-IDS does not assign IP addresses to NICs. It acts as an interface between client and server NICs. I ran Suricata-IDS and then ran Wireshark on the server, after that I pinged the server from the client and the result is as follows:

Click image for larger version

Name: Wireshark.PNG
Views: 15
Size: 63.4 KB
ID: 41848

Does this mean that the client sees the server? Has anyone here ever run Suricata-IDS?