[Oisf-users] Can I run Suricata with AF_Packet inside container
Saxena, Samiksha
samiksha.saxena at verizon.com
Fri Jun 19 17:56:41 UTC 2015
Yes, I added the interface information in suricata.yaml. This is what I am getting:
root at blade6:/# suricata -c /etc/suricata/suricata.yaml --af-packet
19/6/2015 -- 15:07:45 - <Notice> - This is Suricata version 2.0.8 RELEASE
19/6/2015 -- 15:07:53 - <Notice> - all 38 packet processing threads, 3 management threads initialized, engine started.
19/6/2015 -- 15:07:53 - <Warning> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Using mmap mode with GRO or LRO activated can lead to capture problems
19/6/2015 -- 15:07:53 - <Warning> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Using mmap mode with GRO or LRO activated can lead to capture problems
^C19/6/2015 -- 15:08:27 - <Notice> - Signal Received. Stopping engine.
19/6/2015 -- 15:08:27 - <Notice> - Stats for 'em1': pkts: 1312, drop: 0 (0.00%), invalid chksum: 0
19/6/2015 -- 15:08:27 - <Notice> - Stats for 'vethd56c973': pkts: 21, drop: 0 (0.00%), invalid chksum: 0
root at blade6:/#
From: Leonard Jacobs <ljacobs at netsecuris.com<mailto:ljacobs at netsecuris.com>>
Date: Friday, June 19, 2015 at 1:50 PM
To: "Saxena, Samiksha" <samiksha.saxena at one.verizon.com<mailto:samiksha.saxena at one.verizon.com>>, "oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>" <oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>>
Subject: RE: [Oisf-users] Can I run Suricata with AF_Packet inside container
Did you setup the interfaces within suricata.yaml in the af-packet section? Set ips mode in that section?
See https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/. It works. We use and it works great as long as your rules are set to drop as the action.
From: oisf-users-bounces at lists.openinfosecfoundation.org<mailto:oisf-users-bounces at lists.openinfosecfoundation.org> [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Saxena, Samiksha
Sent: Friday, June 19, 2015 12:48 PM
To: oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>
Subject: [Oisf-users] Can I run Suricata with AF_Packet inside container
Hi,
I want to run Suricata with AF_packet mode inside a docker container. I am having trouble with configuring the interfaces. Also, I ran a simple rule of dropping every TCP request, but seems like nothing is dropped.
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150619/937b8145/attachment-0002.html>
More information about the Oisf-users
mailing list