Contoh untuk AF-PACKET Suricata IPS
Step 1
NOTE: Pada pengaturan multi core besar, jumlah total utas yang digabungkan untuk kedua antarmuka tidak boleh lebih dari (jumlah total core – 4). Idealnya kurang dari itu karena ada juga Elasticsearch yang membutuhkan CPU.
In /etc/suricata/selks6-addin.yaml :
af-packet: - interface: enp1s0f0 threads: 4 # or a number that is below half the number of cores available defrag: no cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: enp1s0f1 tpacket-v3: no ring-size: 2048 use-mmap: yes - interface: enp1s0f1 threads: 4 # or a number that is below half the number of cores available cluster-id: 97 defrag: no cluster-type: cluster_flow copy-mode: ips copy-iface: enp1s0f0 tpacket-v3: no ring-size: 2048 use-mmap: yes
also make sure in /etc/network/interfaces:
auto lo
iface lo inet loopback
allow-hotplug eno1
iface eno1 inet static # Management interface
address 192.168.0.100
netmask 255.255.252.0
gateway 192.168.0.1
dns-nameservers 192.168.0.11 192.168.0.6
iface enp1s0f0 inet manual
pre-up ifconfig $IFACE up
post-down ifconfig $IFACE down
post-up /etc/network/if-up.d/selks-idps-interface-tuneup_stamus
iface enp1s0f1 inet manual
pre-up ifconfig $IFACE up
post-down ifconfig $IFACE down
post-up /etc/network/if-up.d/selks-idps-interface-tuneup_stamusStep 2
From Scirius transform the rules you would like from alert to drop:
- Select a rule that you would like to transform into
dropaction - Under
Actionsin the left hand side panel selectTransform rule - Select type
Dropand a ruleset to be used. - Click on
Valid - From the
Suricatamain tab in Scirius – selectRuleset actionson the left hand side panel - Select
Update(optional),Build,PushandApply