# DRAFT: RedHat EL 9 AF_PACKET IPS Guide This guide should help you configure a RedHat EL 9 machine to be a Suricata AF_PACKET IPS host. This guide assumes there are 3 network ports available. 2 ports will be the IPS devices, and one port will be management interface. For the examples in this guide the following interfaces are used: - enp1s0: management port - enp7s0: ips device 1 - enp8s0: ips device 2 ## Configure an Interface to be Up with No Address As Suricata will copy packets received on `enp7s0` directly out to `enp8s0`, and packets received on `enp8s0` directly out `enp7so`, it is suggested that these devices that make up the IPS pair do not have IP addresses. If they did have IP addresses, and connections were made to those addresses, Suricata will still forward the packets out the other end, which is usually not a desirable behaviour. So its best to just remove the IP addresses from these devices. Using `nmcli connection show`, find the profile name of the first device to be configured as an IPS device. Example output: ``` NAME UUID TYPE DEVICE enp1s0 ff38e481-bdca-33e4-97b2-510a56eeded0 ethernet enp1s0 lo ca86ef74-fd4f-48bb-9fa1-80e87b20786e loopback lo Wired connection 1 2263d886-f3af-3d06-9d20-e86a40e74617 ethernet enp7s0 Wired connection 2 6c5cc13e-48a1-34d1-8018-280c03b5d2a8 ethernet enp8s0 ``` in this example we are configuring `enp7s0` and `enp8s0` to be the devices that form the IPS pair. We want these devices to be configured in an `up` state but without IP addresses. Optional: Rename the network profiles. For this guide, we'll give the network profiles a name that matches their purpose: - Rename "Wired connection 1" to "IPS1": ``` nmcli connection modify "Wired connection 1" connection.id IPS1 ``` - Rename "Wired connection 2" to "IPS2": ``` nmcli connection modify "Wired connection 2" connection.id IPS2 ``` Now configure the IPS1 and IPS2 connection to have no IP addresses, but still be in an *up* state: ``` nmcli connection modify IPS1 ipv4.method disabled connection.autoconnect yes nmcli connection modify IPS1 ipv6.method disabled connection.autoconnect yes nmcli connection modify IPS2 ipv4.method disabled connection.autoconnect yes nmcli connection modify IPS2 ipv6.method disabled connection.autoconnect yes ``` Now reboot to test that this configuration sticks over a reboot. After a reboot, you should see that your IPS network devices are up but do not have an ip address: ``` $ ip a 3: enp7s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 52:54:00:db:41:ab brd ff:ff:ff:ff:ff:ff 4: enp8s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 52:54:00:6a:3f:96 brd ff:ff:ff:ff:ff:ff ``` ## Example `af-packet` Suricata Configuration ``` af-packet: - interface: enp7s0 threads: auto cluster-type: cluster_flow cluster-id: 7 copy-mode: ips copy-iface: enp8s0 use-mmap: yes - interface: enp8s0 threads: auto cluster-id: 8 cluster-type: cluster_flow copy-mode: ips copy-iface: enp7s0 use-mmap: yes ``` ## References https://docs.suricata.io/en/latest/setting-up-ipsinline-for-linux.html#setting-up-ips-at-layer-2 https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/networking_guide/sec-configuring_ip_networking_with_nmcli
Last changed by  
Jason Ish
67

Read more

JSON Rules

Modern tools often seem to be simpler and use something that might equate to the following:

7/3/2023
Rust Flow Prototyping

struct Address { family: u8, address: [u32, 4], } struct FlowDataStats { toserver_bytes: u64, toclient_bytes: u64, toserver_pkts: u32, // -> u64 }

6/29/2023
Read more from Jason Ish
Published on HackMD