<div dir="ltr"><div><div>Hi, <br></div> I run suricata in IPS mode with nfqueue.<br> In one of my tests, I found the packet MAC is changed.<br></div><div><br></div><div>The ulogd output without suricata IPS:<br><br>Sep 23 12:47:29 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=00:50:56:86:49:96:00:50:56:bb:26:9b:08:00 SRC=10.10.40.117 DST=20.20.20.112 LEN=52 TOS=00 PREC=0x00 TTL=127 ID=32954 DF PROTO=TCP SPT=80 DPT=4384 SEQ=307688699 ACK=424298579 WINDOW=64240 ACK SYN URGP=0 MARK=0 <br>
Sep 23 12:47:29 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=00:50:56:86:49:96:00:50:56:bb:26:9b:08:00 SRC=10.10.40.117 DST=20.20.20.112 LEN=2960 TOS=00 PREC=0x00 TTL=127 ID=204 DF PROTO=TCP SPT=80 DPT=4384 SEQ=307688700 ACK=424298946 WINDOW=63873 ACK URGP=0 MARK=0 <br>
Sep 23 12:47:29 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=00:50:56:86:49:96:00:50:56:bb:26:9b:08:00 SRC=10.10.40.117 DST=20.20.20.112 LEN=624 TOS=00 PREC=0x00 TTL=127 ID=32977 DF PROTO=TCP SPT=80 DPT=4384 SEQ=307691620 ACK=424298946 WINDOW=63873 ACK PSH URGP=0 MARK=0 <br>
Sep 23 12:47:29 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=00:50:56:86:49:96:00:50:56:bb:26:9b:08:00 SRC=10.10.40.117 DST=20.20.20.112 LEN=52 TOS=00 PREC=0x00 TTL=127 ID=32984 DF PROTO=TCP SPT=80 DPT=4386 SEQ=3152443844 ACK=1165991009 WINDOW=64240 ACK SYN URGP=0 MARK=0 <br>
Sep 23 12:47:29 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=00:50:56:86:49:96:00:50:56:bb:26:9b:08:00 SRC=10.10.40.117 DST=20.20.20.112 LEN=52 TOS=00 PREC=0x00 TTL=127 ID=32983 DF PROTO=TCP SPT=80 DPT=4385 SEQ=135928712 ACK=556255833 WINDOW=64240 ACK SYN URGP=0 MARK=0 <br>
<br></div><div>After start suricata, the ulogd output is :<br><br>Sep 23 12:48:38 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=00:50:56:86:49:96:00:50:56:bb:26:9b:08:00 SRC=10.10.40.117 DST=20.20.20.112 LEN=52 TOS=00 PREC=0x00 TTL=127 ID=33101 DF PROTO=TCP SPT=80 DPT=4425 SEQ=1285162728 ACK=456813905 WINDOW=64240 ACK SYN URGP=0 MARK=1d6b <br>
Sep 23 12:48:38 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=45:00:05:dc:01:5f:40:00:7f:06:99:ba:0a:0a SRC=10.10.40.117 DST=20.20.20.112 LEN=1500 TOS=00 PREC=0x00 TTL=127 ID=351 DF PROTO=TCP SPT=80 DPT=4425 SEQ=1285162729 ACK=456814272 WINDOW=63873 ACK URGP=0 MARK=1d6b <br>
Sep 23 12:48:39 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=45:00:05:dc:01:60:40:00:7f:06:99:b9:0a:0a SRC=10.10.40.117 DST=20.20.20.112 LEN=1500 TOS=00 PREC=0x00 TTL=127 ID=352 DF PROTO=TCP SPT=80 DPT=4425 SEQ=1285164189 ACK=456814272 WINDOW=63873 ACK URGP=0 MARK=1d6b <br>
Sep 23 12:48:39 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=00:50:56:86:49:96:00:50:56:bb:26:9b:08:00 SRC=10.10.40.117 DST=20.20.20.112 LEN=40 TOS=00 PREC=0x00 TTL=127 ID=33125 DF PROTO=TCP SPT=80 DPT=4425 SEQ=1285165649 ACK=456814272 WINDOW=63873 ACK URGP=0 MARK=1d6b <br>
Sep 23 12:48:41 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=00:50:56:86:49:96:00:50:56:bb:26:9b:08:00 SRC=10.10.40.117 DST=20.20.20.112 LEN=1500 TOS=00 PREC=0x00 TTL=127 ID=33129 DF PROTO=TCP SPT=80 DPT=4425 SEQ=1285162729 ACK=456814272 WINDOW=63873 ACK URGP=0 MARK=1d6b <br>
Sep 23 12:48:41 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=45:00:05:dc:01:6b:40:00:7f:06:99:ae:0a:0a SRC=10.10.40.117 DST=20.20.20.112 LEN=1500 TOS=00 PREC=0x00 TTL=127 ID=363 DF PROTO=TCP SPT=80 DPT=4425 SEQ=1285164189 ACK=456814272 WINDOW=63873 ACK URGP=0 MARK=1d6b <br>
Sep 23 12:48:41 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=45:00:02:70:01:6c:40:00:7f:06:9d:19:0a:0a SRC=10.10.40.117 DST=20.20.20.112 LEN=624 TOS=00 PREC=0x00 TTL=127 ID=364 DF PROTO=TCP SPT=80 DPT=4425 SEQ=1285165649 ACK=456814272 WINDOW=63873 ACK PSH URGP=0 MARK=1d6b <br>
Sep 23 12:48:41 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=00:50:56:86:49:96:00:50:56:bb:26:9b:08:00 SRC=10.10.40.117 DST=20.20.20.112 LEN=52 TOS=00 PREC=0x00 TTL=127 ID=33133 DF PROTO=TCP SPT=80 DPT=4428 SEQ=3435204889 ACK=749380856 WINDOW=64240 ACK SYN URGP=0 MARK=1d6b <br>
Sep 23 12:48:41 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=00:50:56:86:49:96:00:50:56:bb:26:9b:08:00 SRC=10.10.40.117 DST=20.20.20.112 LEN=52 TOS=00 PREC=0x00 TTL=127 ID=33134 DF PROTO=TCP SPT=80 DPT=4429 SEQ=1801149160 ACK=506769786 WINDOW=64240 ACK SYN URGP=0 MARK=1d6b <br>
Sep 23 12:48:41 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=00:50:56:86:49:96:00:50:56:bb:26:9b:08:00 SRC=10.10.40.117 DST=20.20.20.112 LEN=52 TOS=00 PREC=0x00 TTL=127 ID=33135 DF PROTO=TCP SPT=80 DPT=4430 SEQ=1488948605 ACK=1395884765 WINDOW=64240 ACK SYN URGP=0 MARK=1d6b <br>
Sep 23 12:48:41 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=45:00:05:dc:01:70:40:00:7f:06:99:a9:0a:0a SRC=10.10.40.117 DST=20.20.20.112 LEN=1500 TOS=00 PREC=0x00 TTL=127 ID=368 DF PROTO=TCP SPT=80 DPT=4428 SEQ=3435204890 ACK=749381232 WINDOW=63864 ACK URGP=0 MARK=1d6b <br>
Sep 23 12:48:41 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=45:00:05:dc:01:71:40:00:7f:06:99:a8:0a:0a SRC=10.10.40.117 DST=20.20.20.112 LEN=1500 TOS=00 PREC=0x00 TTL=127 ID=369 DF PROTO=TCP SPT=80 DPT=4428 SEQ=3435206350 ACK=749381232 WINDOW=63864 ACK URGP=0 MARK=1d6b <br>
Sep 23 12:48:41 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=45:00:05:dc:01:73:40:00:7f:06:99:a6:0a:0a SRC=10.10.40.117 DST=20.20.20.112 LEN=1500 TOS=00 PREC=0x00 TTL=127 ID=371 DF PROTO=TCP SPT=80 DPT=4429 SEQ=1801149161 ACK=506770161 WINDOW=63865 ACK URGP=0 MARK=1d6b <br>
Sep 23 12:48:41 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=45:00:00:c9:01:74:40:00:7f:06:9e:b8:0a:0a SRC=10.10.40.117 DST=20.20.20.112 LEN=201 TOS=00 PREC=0x00 TTL=127 ID=372 DF PROTO=TCP SPT=80 DPT=4429 SEQ=1801150621 ACK=506770161 WINDOW=63865 ACK PSH URGP=0 MARK=1d6b <br>
Sep 23 12:48:41 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=45:00:05:dc:01:75:40:00:7f:06:99:a4:0a:0a SRC=10.10.40.117 DST=20.20.20.112 LEN=1500 TOS=00 PREC=0x00 TTL=127 ID=373 DF PROTO=TCP SPT=80 DPT=4430 SEQ=1488948606 ACK=1395885133 WINDOW=63872 ACK URGP=0 MARK=1d6b <br>
Sep 23 12:48:41 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=45:00:05:dc:01:76:40:00:7f:06:99:a3:0a:0a SRC=10.10.40.117 DST=20.20.20.112 LEN=1500 TOS=00 PREC=0x00 TTL=127 ID=374 DF PROTO=TCP SPT=80 DPT=4430 SEQ=1488950066 ACK=1395885133 WINDOW=63872 ACK URGP=0 MARK=1d6b <br>
Sep 23 12:48:41 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=00:50:56:86:49:96:00:50:56:bb:26:9b:08:00 SRC=10.10.40.117 DST=20.20.20.112 LEN=52 TOS=00 PREC=0x00 TTL=127 ID=33144 DF PROTO=TCP SPT=80 DPT=4431 SEQ=2065874860 ACK=3404625877 WINDOW=64240 ACK SYN URGP=0 MARK=1d6b <br>
Sep 23 12:48:41 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=00:50:56:86:49:96:00:50:56:bb:26:9b:08:00 SRC=10.10.40.117 DST=20.20.20.112 LEN=52 TOS=00 PREC=0x00 TTL=127 ID=33145 DF PROTO=TCP SPT=80 DPT=4432 SEQ=704937129 ACK=2405052443 WINDOW=64240 ACK SYN URGP=0 MARK=1d6b <br>
Sep 23 12:48:42 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=00:50:56:86:49:96:00:50:56:bb:26:9b:08:00 SRC=10.10.40.117 DST=20.20.20.112 LEN=40 TOS=00 PREC=0x00 TTL=127 ID=33147 DF PROTO=TCP SPT=80 DPT=4429 SEQ=1801150782 ACK=506770161 WINDOW=63865 ACK URGP=0 MARK=1d6b <br>
Sep 23 12:48:42 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=00:50:56:86:49:96:00:50:56:bb:26:9b:08:00 SRC=10.10.40.117 DST=20.20.20.112 LEN=40 TOS=00 PREC=0x00 TTL=127 ID=33146 DF PROTO=TCP SPT=80 DPT=4430 SEQ=1488951526 ACK=1395885133 WINDOW=63872 ACK URGP=0 MARK=1d6b <br>
Sep 23 12:48:42 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=00:50:56:86:49:96:00:50:56:bb:26:9b:08:00 SRC=10.10.40.117 DST=20.20.20.112 LEN=40 TOS=00 PREC=0x00 TTL=127 ID=33148 DF PROTO=TCP SPT=80 DPT=4428 SEQ=3435207810 ACK=749381232 WINDOW=63864 ACK URGP=0 MARK=1d6b <br>
Sep 23 12:48:44 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=00:50:56:86:49:96:00:50:56:bb:26:9b:08:00 SRC=10.10.40.117 DST=20.20.20.112 LEN=1500 TOS=00 PREC=0x00 TTL=127 ID=33151 DF PROTO=TCP SPT=80 DPT=4429 SEQ=1801149161 ACK=506770161 WINDOW=63865 ACK URGP=0 MARK=1d6b <br>
Sep 23 12:48:44 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=00:50:56:86:49:96:00:50:56:bb:26:9b:08:00 SRC=10.10.40.117 DST=20.20.20.112 LEN=1500 TOS=00 PREC=0x00 TTL=127 ID=33152 DF PROTO=TCP SPT=80 DPT=4430 SEQ=1488948606 ACK=1395885133 WINDOW=63872 ACK URGP=0 MARK=1d6b <br>
Sep 23 12:48:44 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=00:50:56:86:49:96:00:50:56:bb:26:9b:08:00 SRC=10.10.40.117 DST=20.20.20.112 LEN=1500 TOS=00 PREC=0x00 TTL=127 ID=33150 DF PROTO=TCP SPT=80 DPT=4428 SEQ=3435204890 ACK=749381232 WINDOW=63864 ACK URGP=0 MARK=1d6b <br>
Sep 23 12:48:44 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=45:00:05:dc:01:81:40:00:7f:06:99:98:0a:0a SRC=10.10.40.117 DST=20.20.20.112 LEN=1500 TOS=00 PREC=0x00 TTL=127 ID=385 DF PROTO=TCP SPT=80 DPT=4428 SEQ=3435206350 ACK=749381232 WINDOW=63864 ACK URGP=0 MARK=1d6b <br>
Sep 23 12:48:44 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=45:00:05:dc:01:82:40:00:7f:06:99:97:0a:0a SRC=10.10.40.117 DST=20.20.20.112 LEN=1500 TOS=00 PREC=0x00 TTL=127 ID=386 DF PROTO=TCP SPT=80 DPT=4428 SEQ=3435207810 ACK=749381232 WINDOW=63864 ACK URGP=0 MARK=1d6b <br>
Sep 23 12:48:44 mydebian ulogd[2752]: LOG=MAC-TEST IN=eth4 OUT=eth2 MAC=45:00:05:dc:01:84:40:00:7f:06:99:95:0a:0a SRC=10.10.40.117 DST=20.20.20.112 LEN=1500 TOS=00 PREC=0x00 TTL=127 ID=388 DF PROTO=TCP SPT=80 DPT=4430 SEQ=1488950066 ACK=1395885133 WINDOW=63872 ACK URGP=0 MARK=1d6b <br>
<br><br></div><div>As we can see, the MAC of the packet is changed.<br><br></div><div>BR,<br></div><div>DeltaY<br></div></div>