<div dir="ltr"><div dir="ltr">Dunno know if this may help, but in docker docs they say:<div>"For interacting with the network stack, instead of using --privileged they should use --cap-add=NET_ADMIN to modify the network interfaces."</div><div><br></div><div>We are running in IDS mode inside docker with this configuration, never tested for IPS mode.</div><div><br></div><div>Just give a try.</div><div><br></div><div>Regards,</div><div>Davide</div><div><br><div class="gmail_quote"><div dir="ltr">Il giorno ven 26 ott 2018 alle ore 06:41 kavi perumal <<a href="mailto:kaviperumal22@gmail.com">kaviperumal22@gmail.com</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi Davide,<div><br></div><div>Launched suricata with "--privilleged" option. Llike below.</div><div><br></div><div>#docker run -itd --privileged --net=host <image-name> /bin/bash</div><div>Once its started. Log in to docker.</div><div># docker exec -it <container-name> /bin/bash</div><div>#<inside docker> ./suricata -v -c /etc/suricata/suricata.yaml --af-packet &</div><div><br></div><div>I am able to see the packets on eth0 interface but not on the br0 interface. How to check whether suricata is dropping packet, suggest some debugging method, which log to see, or how.</div><div><br></div><div>Using suricata4.0.5 based docker image. (installed in a ubuntu:bionic based container).</div><div><br></div><div>Regards</div><div>-Kavi Perumal G. <br><br><div class="gmail_quote"><div dir="ltr">On Thu, Oct 25, 2018 at 6:06 PM Davide Setti <<a href="mailto:d.setti@certego.net" target="_blank">d.setti@certego.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Can you also share how suricata is launched within docker? Which permissions/capabilities where given to the container?<div><br></div><div>Regards,</div><div>Davide<br><br><div class="gmail_quote"><div dir="ltr">Il giorno gio 25 ott 2018 alle ore 11:58 kavi perumal <<a href="mailto:kaviperumal22@gmail.com" target="_blank">kaviperumal22@gmail.com</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">Hi All,<div><br></div><div>I am using suricata 4.0.5 in a docker envt. running suricata in af-packet based IPS mode. </div><div>suricata is not bridging packets.</div><div><br></div><div>Topology:</div><div> </div><div> [eth0]--------suricata--------[br0] (br0.11 {192.168.1.1)</div><div><br></div><div>When i try to ping from external VM to IP 192.168.1.1 i am able to see the packets at eth0 but not able to see the packets on br0.</div><div><br></div><div>Can you please let me know am i doing something wrong? (or) how to check whether suricata is dropping packet/not?</div><div><br></div><div>suricata.yaml:</div><div>af-packet:</div><div><div> - interface: eth0</div><div> threads: 1</div><div> defrag: yes</div><div> cluster-type: cluster_flow</div><div> cluster-id: 98</div><div> copy-mode: ips</div><div> copy-iface: br0</div><div> buffer-size: 64535</div><div> use-mmap: yes</div><div> - interface: br0</div><div> threads: 1</div><div> cluster-id: 97</div><div> defrag: yes</div><div> cluster-type: cluster_flow</div><div> copy-mode: ips</div><div> copy-iface: eth0</div><div> buffer-size: 64535</div><div> use-mmap: yes</div></div><div><br></div><div><br></div><div>Regards</div><div>-Kavi Perumal G.</div></div></div>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail-m_8442694541525732736m_-1163078979349463596gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><table border="0" cellspacing="0" cellpadding="0" style="font-family:"Times New Roman";width:420px"><tbody><tr valign="top"><td><table border="0" cellspacing="0" cellpadding="0"><tbody><tr valign="top"><td style="text-align:initial;vertical-align:top;padding:0px 8px"><a href="http://www.certego.net/" target="_blank"><img width="96" height="96" src="http://www.certego.net/email/certego.png" alt="" style="border-radius: 0px;"></a></td><td style="text-align:initial;vertical-align:top;padding:4px 0px"><div style="padding-top:2px;color:rgb(0,172,237);font-weight:bold;font-stretch:normal;font-size:18px;line-height:normal;font-family:sans-serif;letter-spacing:1px">Davide Setti</div><div style="padding-top:2px;color:rgb(32,32,32);font-weight:bold;font-stretch:normal;font-size:14px;line-height:normal;font-family:sans-serif">R&D and Incident Response Team, Certego</div><div style="padding-top:6px"><a href="http://www.linkedin.com/company/certego" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/linkedin.png" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a> <a href="http://twitter.com/Certego_IRT" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/twitter.png" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a> <a href="http://github.com/certego" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/github.png" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a> <a href="http://www.youtube.com/CERTEGOsrl" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/youtube.png" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a> <a href="http://plus.google.com/117641917176532015312" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/googleplus.png" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a></div></td></tr></tbody></table></td></tr></tbody></table><div style="width:420px;text-align:justify;vertical-align:top;padding:8px 0px;color:rgb(224,224,224);font-stretch:normal;font-size:8px;line-height:normal;font-family:sans-serif">Use of the information within this document constitutes acceptance for use in an "as is" condition. There are no warranties with regard to this information; Certego has verified the data as thoroughly as possible. Any use of this information lies within the user's responsibility. In no event shall Certego be liable for any consequences or damages, including direct, indirect, incidental, consequential, loss of business profits or special damages, arising out of or in connection with the use or spread of this information.</div></div></div></div></div></div></div>
</blockquote></div></div></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><table border="0" cellspacing="0" cellpadding="0" style="font-family:"Times New Roman";width:420px"><tbody><tr valign="top"><td><table border="0" cellspacing="0" cellpadding="0"><tbody><tr valign="top"><td style="text-align:initial;vertical-align:top;padding:0px 8px"><a href="http://www.certego.net/" target="_blank"><img width="96" height="96" src="http://www.certego.net/email/certego.png" alt="" style="border-radius: 0px;"></a></td><td style="text-align:initial;vertical-align:top;padding:4px 0px"><div style="padding-top:2px;color:rgb(0,172,237);font-weight:bold;font-stretch:normal;font-size:18px;line-height:normal;font-family:sans-serif;letter-spacing:1px">Davide Setti</div><div style="padding-top:2px;color:rgb(32,32,32);font-weight:bold;font-stretch:normal;font-size:14px;line-height:normal;font-family:sans-serif">R&D and Incident Response Team, Certego</div><div style="padding-top:6px"><a href="http://www.linkedin.com/company/certego" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/linkedin.png" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a> <a href="http://twitter.com/Certego_IRT" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/twitter.png" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a> <a href="http://github.com/certego" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/github.png" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a> <a href="http://www.youtube.com/CERTEGOsrl" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/youtube.png" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a> <a href="http://plus.google.com/117641917176532015312" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/googleplus.png" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a></div></td></tr></tbody></table></td></tr></tbody></table><div style="width:420px;text-align:justify;vertical-align:top;padding:8px 0px;color:rgb(224,224,224);font-stretch:normal;font-size:8px;line-height:normal;font-family:sans-serif">Use of the information within this document constitutes acceptance for use in an "as is" condition. There are no warranties with regard to this information; Certego has verified the data as thoroughly as possible. Any use of this information lies within the user's responsibility. In no event shall Certego be liable for any consequences or damages, including direct, indirect, incidental, consequential, loss of business profits or special damages, arising out of or in connection with the use or spread of this information.</div></div></div></div></div></div></div></div>