<div dir="ltr">Dear All,<div><div><br></div><div>I adjuste sirucata.yaml with the below configuration for eth2 and eth3 and using the command</div><div>sudo suricata -c ~/sirucata-3.`/sirucata.yaml --af--packet , ping is working but all other protocols are dropped , any one have anidea what can be such issue?</div><div>I am having the same issue with snort being inline for traffic , only ping is passing and all other types of traffic is dropped.</div><div><br></div><div> - interface: eth2</div><div> threads: 32</div><div> defrag: yes</div><div> cluster-type: cluster_flow</div><div> cluster-id: 98</div><div> copy-mode: ips</div><div> copy-iface: eth3</div><div> buffer-size: 64535</div><div> use-mmap: yes</div><div> - interface: eth3</div><div> threads: 32</div><div> cluster-id: 97</div><div> defrag: yes</div><div> cluster-type: cluster_flow</div><div> copy-mode: ips</div><div> copy-iface: eth2</div><div> buffer-size: 64535</div><div> use-mmap: yes</div></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Oct 22, 2016 at 11:15 AM, mostafa ammar <span dir="ltr"><<a href="mailto:mostafaammar79@gmail.com" target="_blank">mostafaammar79@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div><div><div><div>Dear All,<br><br></div>i installed suricata as a vm on xenserver hypervisor to work as inline ips between VM , I added 3 interfaces to VM ,one management and 2 interfaces sensing , one in vlan 9 and another in vlan 10 (interface eth2,eth3)<br><br></div>i installed suricata with NFqueue support and when running with<br> sudo suricata -c /home/ubuntu/suricata-3.1/<wbr>suricata.yaml -q 0<br></div>it runs successfully<br></div>I added the following to /etc/network/interface<br><br>auto eth2<br>iface eth2 inet manual<br> up ifconfig eth2 0.0.0.0 up<br> up ip link set eth2 promisc on<br> post-up ethtool -K eth2 gro off<br> post-up ethtool -K eth2 lro off<br> down ip link set eth2 promisc off<br> down ifconfig eth2 down<br> <br># Second Bridged Interface<br>auto eth3<br>iface eth3 inet manual<br> up ifconfig eth3 0.0.0.0 up<br> up ip link set eth3 promisc on<br> post-up ethtool -K eth3 gro off<br> post-up ethtool -K eth3 lro off<br> down ip link set eth3 promisc off<br> down ifconfig eth3 down<br><br></div>and this is a snapshot of iptables<br>ubuntu@ubuntu-HVM-domU:~$ sudo iptables -vnL<br>Chain INPUT (policy ACCEPT 16525 packets, 15M bytes)<br> pkts bytes target prot opt in out source destination <br> 0 0 ACCEPT all -- eth2 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <br> 0 0 ACCEPT all -- eth3 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <br> 0 0 ACCEPT all -- eth2 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <br><br>Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<br> pkts bytes target prot opt in out source destination <br> 0 0 NFQUEUE all -- eth3 eth2 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> NFQUEUE num 0<br> 0 0 NFQUEUE all -- eth2 eth3 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> NFQUEUE num 0<br><br><br></div>now i added 2 VMs one in vlan 9 and another in vlan 10 but ping is not working and i see no packets at eth3 with wireshark <br><br></div>any help about that<br></div>
</blockquote></div><br></div>