<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta name="generator" content="HTML Tidy for Windows (vers 25 March 2009), see www.w3.org">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style type="text/css">
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
-->
</style>
<title></title>
</head>
<body>
I did disable the lro and gro.<br>
<br>
<br>
<br>
Thanks<br>
<br>
<br>
<br>
-----Original Message-----<br>
<b>From: </b>Leonard Jacobs [<a href="mailto:ljacobs@netsecuris.com">ljacobs@netsecuris.com</a>]<br>
<b>Sent: </b>Friday, June 19, 2015 03:08 PM Eastern Standard Time<br>
<b>To: </b>Saxena, Samiksha; oisf-users@lists.openinfosecfoundation.org<br>
<b>Subject: </b>RE: [Oisf-users] Can I run Suricata with AF_Packet inside container<br>
<br>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>That looks ok unless that is really not the name of your second interface.</span></p>
<p class="MsoNormal"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span></p>
<p class="MsoNormal"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Did you disable the offloading settings in your NICs using ethtool?</span></p>
<p class="MsoNormal"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class="MsoNormal"><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b> <span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Saxena, Samiksha [mailto:samiksha.saxena@verizon.com]<br>
<b>Sent:</b> Friday, June 19, 2015 1:15 PM<br>
<b>To:</b> Leonard Jacobs; oisf-users@lists.openinfosecfoundation.org<br>
<b>Subject:</b> Re: [Oisf-users] Can I run Suricata with AF_Packet inside container</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal"><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:black'>Here is my yaml file config:</span></p>
</div>
<div>
<p class="MsoNormal"><span style='font-size:13.5pt;font-family:"Calibri","sans-serif";color:black'># af-packet support<br>
# Set threads to > 1 to use PACKET_FANOUT support<br>
af-packet:<br>
- interface: em1<br>
threads: 1<br>
defrag: yes<br>
cluster-type: cluster_flow<br>
cluster-id: 98<br>
copy-mode: ips<br>
copy-iface: vethd56c973<br>
buffer-size: 64535<br>
use-mmap: yes<br>
- interface: vethd56c973<br>
threads: 1<br>
cluster-id: 97<br>
defrag: yes<br>
cluster-type: cluster_flow<br>
copy-mode: ips<br>
copy-iface: em1<br>
buffer-size: 64535<br>
use-mmap: yes</span></p>
</div>
<div>
<p class="MsoNormal"><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:black'> </span></p>
</div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class="MsoNormal"><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'>From:</span></b> <span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'>Leonard Jacobs <<a href="mailto:ljacobs@netsecuris.com">ljacobs@netsecuris.com</a>><br>
<b>Date:</b> Friday, June 19, 2015 at 2:11 PM<br>
<b>To:</b> "Saxena, Samiksha" <<a href="mailto:samiksha.saxena@one.verizon.com">samiksha.saxena@one.verizon.com</a>>, "<a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a>" <<a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a>><br>
<b>Subject:</b> RE: [Oisf-users] Can I run Suricata with AF_Packet inside container</span></p>
</div>
<div>
<p class="MsoNormal"><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:black'> </span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>You can look it up by googling your processor type.</span></p>
<p class="MsoNormal"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span></p>
<p class="MsoNormal"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>How many threads did you set in af-packet section of yaml?</span></p>
<p class="MsoNormal"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class="MsoNormal"><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>From:</span></b> <span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Saxena, Samiksha [<a href="mailto:samiksha.saxena@verizon.com">mailto:samiksha.saxena@verizon.com</a>]<br>
<b>Sent:</b> Friday, June 19, 2015 1:10 PM<br>
<b>To:</b> Leonard Jacobs; <a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a><br>
<b>Subject:</b> Re: [Oisf-users] Can I run Suricata with AF_Packet inside container</span></p>
</div>
</div>
<p class="MsoNormal"><span style='color:black'> </span></p>
<div>
<p class="MsoNormal"><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:black'>I am not sure about it, how can I check this?</span></p>
</div>
<div>
<p class="MsoNormal"><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:black'> </span></p>
</div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class="MsoNormal"><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'>From:</span></b> <span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'>Leonard Jacobs <<a href="mailto:ljacobs@netsecuris.com">ljacobs@netsecuris.com</a>><br>
<b>Date:</b> Friday, June 19, 2015 at 2:00 PM<br>
<b>To:</b> "Saxena, Samiksha" <<a href="mailto:samiksha.saxena@one.verizon.com">samiksha.saxena@one.verizon.com</a>>, "<a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a>" <<a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a>><br>
<b>Subject:</b> RE: [Oisf-users] Can I run Suricata with AF_Packet inside container</span></p>
</div>
<div>
<p class="MsoNormal"><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:black'> </span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Can your processor handle 38 packet processing threads?</span></p>
<p class="MsoNormal"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class="MsoNormal"><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>From:</span></b> <span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Saxena, Samiksha [<a href="mailto:samiksha.saxena@verizon.com">mailto:samiksha.saxena@verizon.com</a>]<br>
<b>Sent:</b> Friday, June 19, 2015 12:57 PM<br>
<b>To:</b> Leonard Jacobs; <a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a><br>
<b>Subject:</b> Re: [Oisf-users] Can I run Suricata with AF_Packet inside container</span></p>
</div>
</div>
<p class="MsoNormal"><span style='color:black'> </span></p>
<div>
<p class="MsoNormal"><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:black'>Yes, I added the interface information in suricata.yaml. This is what I am getting: </span></p>
</div>
<div>
<p class="MsoNormal"><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:black'> </span></p>
</div>
<div>
<p class="MsoNormal"><span style='font-size:13.5pt;font-family:"Calibri","sans-serif";color:black'>root@blade6:/# suricata -c /etc/suricata/suricata.yaml --af-packet<br>
19/6/2015 -- 15:07:45 - <Notice> - This is Suricata version 2.0.8 RELEASE<br>
19/6/2015 -- 15:07:53 - <Notice> - all 38 packet processing threads, 3 management threads initialized, engine started.<br>
19/6/2015 -- 15:07:53 - <Warning> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Using mmap mode with GRO or LRO activated can lead to capture problems<br>
19/6/2015 -- 15:07:53 - <Warning> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Using mmap mode with GRO or LRO activated can lead to capture problems<br>
^C19/6/2015 -- 15:08:27 - <Notice> - Signal Received. Stopping engine.<br>
19/6/2015 -- 15:08:27 - <Notice> - Stats for 'em1': pkts: 1312, drop: 0 (0.00%), invalid chksum: 0<br>
19/6/2015 -- 15:08:27 - <Notice> - Stats for 'vethd56c973': pkts: 21, drop: 0 (0.00%), invalid chksum: 0<br>
root@blade6:/# </span></p>
</div>
<div>
<p class="MsoNormal"><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:black'> </span></p>
</div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class="MsoNormal"><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'>From:</span></b> <span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'>Leonard Jacobs <<a href="mailto:ljacobs@netsecuris.com">ljacobs@netsecuris.com</a>><br>
<b>Date:</b> Friday, June 19, 2015 at 1:50 PM<br>
<b>To:</b> "Saxena, Samiksha" <<a href="mailto:samiksha.saxena@one.verizon.com">samiksha.saxena@one.verizon.com</a>>, "<a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a>" <<a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a>><br>
<b>Subject:</b> RE: [Oisf-users] Can I run Suricata with AF_Packet inside container</span></p>
</div>
<div>
<p class="MsoNormal"><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:black'> </span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Did you setup the interfaces within suricata.yaml in the af-packet section? Set ips mode in that section?</span></p>
<p class="MsoNormal"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span></p>
<p class="MsoNormal"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>See <a href="https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/">https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/</a>. It works. We use and it works great as long as your rules are set to drop as the action.</span></p>
<p class="MsoNormal"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class="MsoNormal"><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><a href="mailto:oisf-users-bounces@lists.openinfosecfoundation.org">oisf-users-bounces@lists.openinfosecfoundation.org</a> [<a href="mailto:oisf-users-bounces@lists.openinfosecfoundation.org">mailto:oisf-users-bounces@lists.openinfosecfoundation.org</a>] <b>On Behalf Of</b> Saxena, Samiksha<br>
<b>Sent:</b> Friday, June 19, 2015 12:48 PM<br>
<b>To:</b> <a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a><br>
<b>Subject:</b> [Oisf-users] Can I run Suricata with AF_Packet inside container</span></p>
</div>
</div>
<p class="MsoNormal"><span style='color:black'> </span></p>
<div>
<div>
<p class="MsoNormal"><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:black'>Hi,</span></p>
</div>
<div>
<p class="MsoNormal"><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:black'> </span></p>
</div>
<div>
<p class="MsoNormal"><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:black'>I want to run Suricata with AF_packet mode inside a docker container. I am having trouble with configuring the interfaces. Also, I ran a simple rule of dropping every TCP request, but seems like nothing is dropped.</span></p>
</div>
<div>
<p class="MsoNormal"><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:black'> </span></p>
</div>
<div>
<p class="MsoNormal"><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:black'>Thanks</span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>