Project

General

Profile

Support #2188

Suricata IPS with Bypass Switch Recommendatiton

Added by Mustaque Ahmad almost 2 years ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

We recently configured the Suricata in IPS mode. The IPS mode was installed on the bridged system. However, we are experiencing some issue when Suricata stop, interrupted and shutdown. It start forwarding the traffic and due to that we often have production down issue. To encountered this we are planning to introduce a bypass switch which will bypass the traffic encase suricata stop functioning. However, before we buy the product we need following information:

Do you recommend any bypass switch which works best with Suricata ( All does the same but encase if you have any preferred device)?
Suricata on Bridge mode. (Are we using the right way or is there any best recommended way you can suggest)
We are using Ubuntu as a OS platform and using bridge utility. DO you recommend anything else?

Will appreciate if anyone respond to these queries. Thanks in advance.

Regards,
Mustaque


Files

image002.jpg (22.8 KB) image002.jpg Mustaque Ahmad, 07/27/2017 09:19 PM

History

#1

Updated by Victor Julien almost 2 years ago

Can you say a bit more about how the bridge is set up and how Suricata interacts with it? Please attach config files and/or commands.

#2

Updated by Mustaque Ahmad almost 2 years ago

Here is the complete command followed by me:
$ sudo apt-get install bridge-utils
$ sudo brctl addbr br0
$ sudo brctl addif br0 eth1
$ sudo brctl addif br0 eth2
$ sudo ifconfig eth1 0.0.0.0
$ sudo ifconfig eth2 0.0.0.0
$ sudo ifconfig br0 up

sudo apt-get install python-software-properties

sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install suricata

Rule for Emerging Threats

$ cd /etc/suricata
$ sudo wget https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz
$ sudo tar -xzf emerging.rules.tar.gz
$ sudo mkdir /var/log/suricata
$ sudo touch /etc/suricata/threshold.config

edit /etc/suricata/suricata.yaml to enable IPS mode
  1. a line based information for dropped packets in IPS mode
    - drop:
    - enabled: no
    + enabled: yes
    filename: drop.log
    append: yes

Now test with DROP packets and IPS mode. Right drop rule first.
$ sudo iptables -I FORWARD -j NFQUEUE

$ sudo iptables -A FORWARD -m physdev --physdev-in eth1
$ sudo iptables -A FORWARD -m physdev --physdev-in eth2

sudo suricata -c /etc/suricata/suricata.yaml -q 0

$ ls -al /var/log/suricata/
cat /var/log/suricata/fast.log

Let me know if you need more information.

Thanks in advance.

Regards
Mustaque

#3

Updated by Victor Julien almost 2 years ago

Sadly bridge+nfqueue has never worked well. If you need a brige I'd advice you to look at afpacket in bridge mode.

We are talking to the netfilter project about ways to improve things, but for now don't mix bridge and nfqueue.

See also #2135.

I have also updated Known_Issues

#4

Updated by Mustaque Ahmad almost 2 years ago

Thanks Victor for the information. That setup was working for long time in my environment. Could you also provide the documentation look at afpacket in bridge mode. Also any recommendation on bypass switch? Thanks in advance.

Regards,
Mustaque

#5

Updated by Felipe Houde almost 2 years ago

Are you truly bridging or brouting ?

if truly brifging make sure you have those:

net.bridge.bridge-nf-call-arptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-filter-pppoe-tagged=1
net.bridge.bridge-nf-filter-vlan-tagged=1
net.bridge.bridge-nf-pass-vlan-input-dev=1

  1. We are not forwarding we are bridging !
    net.ipv4.ip_forward=0

you can also test with :

ebtables -t broute -A BROUTING -p ipv4 -j ACCEPT
ebtables -t broute -A BROUTING ! -p ipv4 -j ACCEPT

Those will make sure all packets are bridge.

#7

Updated by Mustaque Ahmad almost 2 years ago

ok great. Thanks for the information Felipe. My Setup which i mentioned above is working since 6 month now. My initial query is still unanswered on bypass unit. Also is there a script I can use which can keep checking the Suricata PID and restart the process if it fails?

Thanks and Regards,
Mustaque

#8

Updated by Andreas Herz almost 2 years ago

  • Assignee set to Anonymous

Can you be more specific about how you want to have the bypass to behave? There is no OOB script for the pid checking and restart but it's quite simple to add own in bash or you look into the systems services for your distribution.

#9

Updated by Mustaque Ahmad almost 2 years ago

Let me give you a bit of background. We are using Suricata in inline mode and need bypass switch to pass through the traffic in case IPS fails to work. As you know if it does not work then it will start dropping the packets. Attached is the sample diagram which give a bit of understanding the place where we are connected the device.

Thanks

#10

Updated by Felipe Houde almost 2 years ago

Have you tried ?

In you suricata.service add :
[Service]
Restart=on-failure

In your iptables rule that send trafic to suricata:
-j NFQUEUE --queue-bypass

In your suricata.yaml, in the "detect" section make sure you have :
delayed-detect: yes

With this trafic should never be interupted...

F.

#11

Updated by Mustaque Ahmad almost 2 years ago

Hi Felipe,

Much appreciate your information and detail. I will check that configuration change on my environment. One last query does Suricata support trunking?

Thanks and Regards,
Mustaque

#12

Updated by Andreas Herz 3 months ago

  • Assignee set to Community Ticket

Also available in: Atom PDF