Suricata

The problem¶

As reported on mailing list:

When I set suricata run with af-packet ips mode, I found it can’t record “drop.log” or drop log within eve.log. I found the source code don’t support this. When it record drop log, the engine must run ENGINE_MODE_IPS, but this only when NFQ and IPFW mode set this value.

static int JsonDropLogCondition(ThreadVars *tv, const Packet *p) {
    if (!EngineModeIsIPS()) {
        SCLogDebug("engine is not running in inline mode, so returning");
        return FALSE;
    }

Analysis and cause:¶

AF_PACKET is not setting the engine mode to IPS when some interfaces are peered. This is due to the fact, it is possible to peer 2 interfaces and run an IPS on them and have a third one that is running in normal IDS mode.

Unwanted side effect is that there is no drop log. An other side effect is that stream-inline is not activated automatically when AF_PACKET is used in IPS mode.

Solution¶

For backward compatibility we can not assume that a configuration with mixed IPS and IDS interfaces is wrong. So a solution is to do the following:

1. If af-packet is full IPS, we set IPS mode and this will activate stream inline.
2. If af-packet is in mixed mode, we add a warning message stating that this is not a good idea.