<div dir="ltr">Hi Andi,<div><br></div><div>nope - it didn't work. i tried even in IDS mode. (tap).</div><div><br></div><div>Regards</div><div>-Kavi Perumal G.</div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Oct 30, 2018 at 2:33 AM Andreas Herz <<a href="mailto:andi@geekosphere.org">andi@geekosphere.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 25/10/18 at 15:28, kavi perumal wrote:<br>
> Hi All,<br>
> <br>
> I am using suricata 4.0.5 in a docker envt. running suricata in af-packet<br>
> based IPS mode.<br>
> suricata is not bridging packets.<br>
> <br>
> Topology:<br>
> <br>
>  [eth0]--------suricata--------[br0] (br0.11 {192.168.1.1)<br>
> <br>
> When i try to ping from external VM to IP 192.168.1.1 i am able to see the<br>
> packets at eth0 but not able to see the packets on br0.<br>
> <br>
> Can you please let me know am i doing something wrong? (or) how to check<br>
> whether suricata is dropping packet/not?<br>
<br>
Can you look into the stats log?<br>
Does it work when you use IDS mode?<br>
<br>
> suricata.yaml:<br>
> af-packet:<br>
>   - interface: eth0<br>
>     threads: 1<br>
>     defrag: yes<br>
>     cluster-type: cluster_flow<br>
>     cluster-id: 98<br>
>     copy-mode: ips<br>
>     copy-iface: br0<br>
>     buffer-size: 64535<br>
>     use-mmap: yes<br>
>   - interface: br0<br>
>     threads: 1<br>
>     cluster-id: 97<br>
>     defrag: yes<br>
>     cluster-type: cluster_flow<br>
>     copy-mode: ips<br>
>     copy-iface: eth0<br>
>     buffer-size: 64535<br>
>     use-mmap: yes<br>
> <br>
> <br>
> Regards<br>
> -Kavi Perumal G.<br>
<br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> <br>
> Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
> Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a><br>
<br>
<br>
-- <br>
Andreas Herz<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></blockquote></div>