<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;"><div>Here is my yaml file config:</div><div><span style="font-family: Calibri; font-size: medium;"># af-packet support</span><br style="font-family: Calibri; font-size: medium;"><span style="font-family: Calibri; font-size: medium;"># Set threads to > 1 to use PACKET_FANOUT support</span><br style="font-family: Calibri; font-size: medium;"><span style="font-family: Calibri; font-size: medium;">af-packet:</span><br style="font-family: Calibri; font-size: medium;"><span style="font-family: Calibri; font-size: medium;"> - interface: em1</span><br style="font-family: Calibri; font-size: medium;"><span style="font-family: Calibri; font-size: medium;"> threads: 1</span><br style="font-family: Calibri; font-size: medium;"><span style="font-family: Calibri; font-size: medium;"> defrag: yes</span><br style="font-family: Calibri; font-size: medium;"><span style="font-family: Calibri; font-size: medium;"> cluster-type: cluster_flow</span><br style="font-family: Calibri; font-size: medium;"><span style="font-family: Calibri; font-size: medium;"> cluster-id: 98</span><br style="font-family: Calibri; font-size: medium;"><span style="font-family: Calibri; font-size: medium;"> copy-mode: ips</span><br style="font-family: Calibri; font-size: medium;"><span style="font-family: Calibri; font-size: medium;"> copy-iface: vethd56c973</span><br style="font-family: Calibri; font-size: medium;"><span style="font-family: Calibri; font-size: medium;"> buffer-size: 64535</span><br style="font-family: Calibri; font-size: medium;"><span style="font-family: Calibri; font-size: medium;"> use-mmap: yes</span><br style="font-family: Calibri; font-size: medium;"><span style="font-family: Calibri; font-size: medium;"> - interface: vethd56c973</span><br style="font-family: Calibri; font-size: medium;"><span style="font-family: Calibri; font-size: medium;"> threads: 1</span><br style="font-family: Calibri; font-size: medium;"><span style="font-family: Calibri; font-size: medium;"> cluster-id: 97</span><br style="font-family: Calibri; font-size: medium;"><span style="font-family: Calibri; font-size: medium;"> defrag: yes</span><br style="font-family: Calibri; font-size: medium;"><span style="font-family: Calibri; font-size: medium;"> cluster-type: cluster_flow</span><br style="font-family: Calibri; font-size: medium;"><span style="font-family: Calibri; font-size: medium;"> copy-mode: ips</span><br style="font-family: Calibri; font-size: medium;"><span style="font-family: Calibri; font-size: medium;"> copy-iface: em1</span><br style="font-family: Calibri; font-size: medium;"><span style="font-family: Calibri; font-size: medium;"> buffer-size: 64535</span><br style="font-family: Calibri; font-size: medium;"><span style="font-family: Calibri; font-size: medium;"> use-mmap: yes</span><br style="font-family: Calibri; font-size: medium;"></div><div><br></div><span id="OLK_SRC_BODY_SECTION"><div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt"><span style="font-weight:bold">From: </span> Leonard Jacobs <<a href="mailto:ljacobs@netsecuris.com">ljacobs@netsecuris.com</a>><br><span style="font-weight:bold">Date: </span> Friday, June 19, 2015 at 2:11 PM<br><span style="font-weight:bold">To: </span> "Saxena, Samiksha" <<a href="mailto:samiksha.saxena@one.verizon.com">samiksha.saxena@one.verizon.com</a>>, "<a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a>" <<a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a>><br><span style="font-weight:bold">Subject: </span> RE: [Oisf-users] Can I run Suricata with AF_Packet inside container<br></div><div><br></div><div xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="Generator" content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--><div lang="EN-US" link="blue" vlink="purple"><div class="WordSection1"><p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);">You can look it up by googling your processor type.
<o:p></o:p></span></p><p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);"><o:p> </o:p></span></p><p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);">How many threads did you set in af-packet section of yaml?<o:p></o:p></span></p><p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);"><o:p> </o:p></span></p><div><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b><span style="font-size: 10pt; font-family: Tahoma, sans-serif;">From:</span></b><span style="font-size: 10pt; font-family: Tahoma, sans-serif;"> Saxena, Samiksha [<a href="mailto:samiksha.saxena@verizon.com">mailto:samiksha.saxena@verizon.com</a>]
<br><b>Sent:</b> Friday, June 19, 2015 1:10 PM<br><b>To:</b> Leonard Jacobs; <a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a><br><b>Subject:</b> Re: [Oisf-users] Can I run Suricata with AF_Packet inside container<o:p></o:p></span></p></div></div><p class="MsoNormal"><o:p> </o:p></p><div><p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">I am not sure about it, how can I check this?<o:p></o:p></span></p></div><div><p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;"><o:p> </o:p></span></p></div><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: black;">From:
</span></b><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: black;">Leonard Jacobs <<a href="mailto:ljacobs@netsecuris.com">ljacobs@netsecuris.com</a>><br><b>Date: </b>Friday, June 19, 2015 at 2:00 PM<br><b>To: </b>"Saxena, Samiksha" <<a href="mailto:samiksha.saxena@one.verizon.com">samiksha.saxena@one.verizon.com</a>>, "<a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a>" <<a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a>><br><b>Subject: </b>RE: [Oisf-users] Can I run Suricata with AF_Packet inside container<o:p></o:p></span></p></div><div><p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;"><o:p> </o:p></span></p></div><div><div><p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);">Can your processor handle 38 packet processing threads?</span><span style="color:black"><o:p></o:p></span></p><p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);"> </span><span style="color:black"><o:p></o:p></span></p><div><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; color: black;">From:</span></b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; color: black;"> Saxena, Samiksha [<a href="mailto:samiksha.saxena@verizon.com">mailto:samiksha.saxena@verizon.com</a>]
<br><b>Sent:</b> Friday, June 19, 2015 12:57 PM<br><b>To:</b> Leonard Jacobs; <a href="mailto:oisf-users@lists.openinfosecfoundation.org">
oisf-users@lists.openinfosecfoundation.org</a><br><b>Subject:</b> Re: [Oisf-users] Can I run Suricata with AF_Packet inside container</span><span style="color:black"><o:p></o:p></span></p></div></div><p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p><div><p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">Yes, I added the interface information in suricata.yaml. This is what I am getting: </span><span style="color:black"><o:p></o:p></span></p></div><div><p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;"> </span><span style="color:black"><o:p></o:p></span></p></div><div><p class="MsoNormal"><span style="font-size: 13.5pt; font-family: Calibri, sans-serif; color: black;">root@blade6:/# suricata -c /etc/suricata/suricata.yaml --af-packet<br>
19/6/2015 -- 15:07:45 - <Notice> - This is Suricata version 2.0.8 RELEASE<br>
19/6/2015 -- 15:07:53 - <Notice> - all 38 packet processing threads, 3 management threads initialized, engine started.<br>
19/6/2015 -- 15:07:53 - <Warning> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Using mmap mode with GRO or LRO activated can lead to capture problems<br>
19/6/2015 -- 15:07:53 - <Warning> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Using mmap mode with GRO or LRO activated can lead to capture problems<br>
^C19/6/2015 -- 15:08:27 - <Notice> - Signal Received. Stopping engine.<br>
19/6/2015 -- 15:08:27 - <Notice> - Stats for 'em1': pkts: 1312, drop: 0 (0.00%), invalid chksum: 0<br>
19/6/2015 -- 15:08:27 - <Notice> - Stats for 'vethd56c973': pkts: 21, drop: 0 (0.00%), invalid chksum: 0<br>
root@blade6:/# </span><span style="color:black"><o:p></o:p></span></p></div><div><p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;"> </span><span style="color:black"><o:p></o:p></span></p></div><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: black;">From:
</span></b><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: black;">Leonard Jacobs <<a href="mailto:ljacobs@netsecuris.com">ljacobs@netsecuris.com</a>><br><b>Date: </b>Friday, June 19, 2015 at 1:50 PM<br><b>To: </b>"Saxena, Samiksha" <<a href="mailto:samiksha.saxena@one.verizon.com">samiksha.saxena@one.verizon.com</a>>, "<a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a>" <<a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a>><br><b>Subject: </b>RE: [Oisf-users] Can I run Suricata with AF_Packet inside container</span><span style="color:black"><o:p></o:p></span></p></div><div><p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;"> </span><span style="color:black"><o:p></o:p></span></p></div><div><div><p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);">Did you setup the interfaces within suricata.yaml in the af-packet section? Set ips mode in that section?</span><span style="color:black"><o:p></o:p></span></p><p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);"> </span><span style="color:black"><o:p></o:p></span></p><p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);">See
<a href="https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/">https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/</a>. It works. We use and it works great as long as your rules are set to drop as the action.</span><span style="color:black"><o:p></o:p></span></p><p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);"> </span><span style="color:black"><o:p></o:p></span></p><div><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; color: black;">From:</span></b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; color: black;"><a href="mailto:oisf-users-bounces@lists.openinfosecfoundation.org">oisf-users-bounces@lists.openinfosecfoundation.org</a>
[<a href="mailto:oisf-users-bounces@lists.openinfosecfoundation.org">mailto:oisf-users-bounces@lists.openinfosecfoundation.org</a>]
<b>On Behalf Of </b>Saxena, Samiksha<br><b>Sent:</b> Friday, June 19, 2015 12:48 PM<br><b>To:</b> <a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a><br><b>Subject:</b> [Oisf-users] Can I run Suricata with AF_Packet inside container</span><span style="color:black"><o:p></o:p></span></p></div></div><p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p><div><div><p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">Hi,</span><span style="color:black"><o:p></o:p></span></p></div><div><p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;"> </span><span style="color:black"><o:p></o:p></span></p></div><div><p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">I want to run Suricata with AF_packet mode inside a docker container. I am having trouble with configuring the interfaces. Also, I ran a simple rule of dropping
every TCP request, but seems like nothing is dropped.</span><span style="color:black"><o:p></o:p></span></p></div><div><p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;"> </span><span style="color:black"><o:p></o:p></span></p></div><div><p class="MsoNormal"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: black;">Thanks</span><span style="color:black"><o:p></o:p></span></p></div></div></div></div></div></div></div></div></div></span></body></html>