Suricata functions as a powerful engine for Network Intrusion Detection and Prevention (IDS/IPS). This guide demonstrates how to set up Suricata as a transparent Intrusion Prevention System (IPS) within a KVM environment by replacing the kernel bridge with the high-performance AF-Packet mechanism.
1. Architectural Foundation: VM Isolation and Bridge Setup
To enable transparent inline inspection, traffic must sequentially pass through a single inspection point. I have chosen to implement this point within a dedicated VM to decouple the security functions from the host for isolation and security reasons. This requires two network interfaces on the VM: one for the external network (uplink) and one for the internal network (VM guests).
Example: Virtualization Architecture (Open vSwitch Context)
In my KVM/Open vSwitch (OVS) environment, network segregation is managed via two dedicated bridges: ovs-host (connected to the host uplink) and ovs-guests (internal VM network).
The Firewall VM acts as the Gateway, with NIC 1 (ens3) connected to ovs-host and NIC 2 (ens5) connected to ovs-guests.
The Standard Bridge (Comparison)
The simplest way to connect these is using a kernel bridge (br0) within the Firewall VM. This allows for basic nftables Layer 2 filtering but introduces significant overhead for high-speed DPI. For superior performance, I avoid using the kernel bridge.
2. Implementation of AF-Packet Bridging
For high-speed, packet-by-packet inspection, I use Suricata’s AF-Packet modules to implement the bridging and packet injection logic in user space, avoiding kernel bridge overhead.
Network Configuration & Performance Tuning
The use of a kernel bridge is avoided; instead, I configure both critical network cards (ens3, ens5) manually.
auto ens3
iface ens3 inet manual
pre-up ip link set ens3 up
pre-up /root/disable-offload.sh ens3
auto ens5
iface ens5 inet manual
pre-up ip link set ens5 up
pre-up /root/disable-offload.sh ens5CRITICAL Performance Step: Network offloading features must be disabled as they interfere with deep packet inspection.
# /root/disable-offload.sh
#!/bin/bash
DEV="$1"
for i in rx tx tso gso gro lro tx sg txvlan rxvlan; do
/sbin/ethtool -K $DEV $i off &>/dev/null;
doneSuricata Configuration (suricata.yaml)
I configure two af-packet instances, instructing each to copy packets to the opposite interface. This mimics the bridge functionality in the application layer, enabling full IPS inspection.
af-packet:
# Traffic from External -> Internal
- interface: ens3
threads: 1
cluster-id: 98
cluster-type: cluster_flow
copy-mode: ips # CRITICAL: Enables IPS injection
copy-iface: ens5 # Destination: internal network
...
# Traffic from Internal -> External
- interface: ens5
threads: 1
cluster-id: 97
cluster-type: cluster_flow
copy-mode: ips
copy-iface: ens3 # Destination: external network
...3. Finalization and Verification
After configuring HOME_NET and installing rulesets (suricata-update), the system is ready.
systemctl start suricataThe log confirmation shows the successful activation of the transparent IPS mode:
<Info> - AF_PACKET IPS mode activated ens3->ens5
<Info> - AF_PACKET IPS mode activated ens5->ens3
<Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.This ensures that all traffic is inspected in the application layer by Suricata. If deemed safe, the inspected packet is then copied and injected back into the output interface, effectively forwarding it to the target.
Sources / See Also
- KVM/QEMU Documentation. Considerations for network device emulation (VirtIO vs. e1000) in high-throughput applications.
- Suricata Documentation. High-performance AF_PACKET IPS mode configuration and usage.
https://docs.suricata.io/en/latest/install/af-packet.html - Open vSwitch Documentation. Concepts and architecture of OVS bridges for VM traffic segregation.
https://docs.openvswitch.org/en/latest/ - Linux Manpage: ethtool. Details on various network offload features (TSO, GSO, LRO) and their impact on raw packet inspection.
https://man7.org/linux/man-pages/man8/ethtool.8.html