https://home.regit.org/tags/ips/ Recent content in IPS on To Linux and beyond ! Hugo fr Tue, 04 Sep 2012 20:53:53 +0000 https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/ Tue, 04 Sep 2012 20:53:53 +0000 https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/ <h4 id="a-new-suricata-ips-mode">A new Suricata IPS mode</h4> <p>Suricata IPS capabilities are not new. It is possible to use Suricata with Netfilter or ipfw to build a state-of-the-art IPS. On Linux, this system has not the best throughput performance. Patrick McHardy’s work on <a href="https://lwn.net/Articles/512442/">netlink: memory mapped I/O</a> should bring some real improvement but this is not yet available.</p> <p>I’ve thus decided to do an implementation of IPS based on AF_PACKET (read raw socket). The idea is based on one of the snort’s running mode. It peers two network interfaces and all packets received from one interface are sent to the other interface (if a signature with drop keyword does not fired on the packet). This requires to dedicate two network interfaces for Suricata but this provide a simple bridge system. As suricata is using latest AF_PACKET features (read load balancing), it was possible to build something really promising.</p>