[Oisf-users] Can I run Suricata with AF_Packet inside container

Leonard Jacobs ljacobs at netsecuris.com
Fri Jun 19 19:11:49 UTC 2015


Still does not work? Still getting errors?  Enabled drop on rules.  I would not test this with any custom rules.  I would enable some rules then try to vulnerability scan the system and see if it catches any bad things.
 
From: Saxena, Samiksha [mailto:samiksha.saxena at verizon.com] 
Sent: Friday, June 19, 2015 2:10 PM
To: 'Leonard Jacobs'; 'oisf-users at lists.openinfosecfoundation.org'
Subject: RE: [Oisf-users] Can I run Suricata with AF_Packet inside container
 
I did disable the lro and gro.



Thanks



-----Original Message-----
From: Leonard Jacobs [ljacobs at netsecuris.com]
Sent: Friday, June 19, 2015 03:08 PM Eastern Standard Time
To: Saxena, Samiksha; oisf-users at lists.openinfosecfoundation.org
Subject: RE: [Oisf-users] Can I run Suricata with AF_Packet inside container


That looks ok unless that is really not the name of your second interface.
 
Did you disable the offloading settings in your NICs using ethtool?
 
From: Saxena, Samiksha [mailto:samiksha.saxena at verizon.com]
Sent: Friday, June 19, 2015 1:15 PM
To: Leonard Jacobs; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Can I run Suricata with AF_Packet inside container
 
Here is my yaml file config:
# af-packet support
# Set threads to > 1 to use PACKET_FANOUT support
af-packet:
  - interface: em1
    threads: 1
    defrag: yes
    cluster-type: cluster_flow
    cluster-id: 98
    copy-mode: ips
    copy-iface: vethd56c973
    buffer-size: 64535
    use-mmap: yes
  - interface: vethd56c973
    threads: 1
    cluster-id: 97
    defrag: yes
    cluster-type: cluster_flow
    copy-mode: ips
    copy-iface: em1
    buffer-size: 64535
    use-mmap: yes
 
From: Leonard Jacobs <ljacobs at netsecuris.com>
Date: Friday, June 19, 2015 at 2:11 PM
To: "Saxena, Samiksha" <samiksha.saxena at one.verizon.com>, "oisf-users at lists.openinfosecfoundation.org" <oisf-users at lists.openinfosecfoundation.org>
Subject: RE: [Oisf-users] Can I run Suricata with AF_Packet inside container
 
You can look it up by googling your processor type.
 
How many threads did you set in af-packet section of yaml?
 
From: Saxena, Samiksha [mailto:samiksha.saxena at verizon.com]
Sent: Friday, June 19, 2015 1:10 PM
To: Leonard Jacobs; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Can I run Suricata with AF_Packet inside container
 
I am not sure about it, how can I check this?
 
From: Leonard Jacobs <ljacobs at netsecuris.com>
Date: Friday, June 19, 2015 at 2:00 PM
To: "Saxena, Samiksha" <samiksha.saxena at one.verizon.com>, "oisf-users at lists.openinfosecfoundation.org" <oisf-users at lists.openinfosecfoundation.org>
Subject: RE: [Oisf-users] Can I run Suricata with AF_Packet inside container
 
Can your processor handle 38 packet processing threads?
 
From: Saxena, Samiksha [mailto:samiksha.saxena at verizon.com]
Sent: Friday, June 19, 2015 12:57 PM
To: Leonard Jacobs; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Can I run Suricata with AF_Packet inside container
 
Yes, I added the interface information in suricata.yaml.  This is what I am getting: 
 
root at blade6:/# suricata -c /etc/suricata/suricata.yaml --af-packet
19/6/2015 -- 15:07:45 - <Notice> - This is Suricata version 2.0.8 RELEASE
19/6/2015 -- 15:07:53 - <Notice> - all 38 packet processing threads, 3 management threads initialized, engine started.
19/6/2015 -- 15:07:53 - <Warning> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Using mmap mode with GRO or LRO activated can lead to capture problems
19/6/2015 -- 15:07:53 - <Warning> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Using mmap mode with GRO or LRO activated can lead to capture problems
^C19/6/2015 -- 15:08:27 - <Notice> - Signal Received.  Stopping engine.
19/6/2015 -- 15:08:27 - <Notice> - Stats for 'em1':  pkts: 1312, drop: 0 (0.00%), invalid chksum: 0
19/6/2015 -- 15:08:27 - <Notice> - Stats for 'vethd56c973':  pkts: 21, drop: 0 (0.00%), invalid chksum: 0
root at blade6:/# 
 
From: Leonard Jacobs <ljacobs at netsecuris.com>
Date: Friday, June 19, 2015 at 1:50 PM
To: "Saxena, Samiksha" <samiksha.saxena at one.verizon.com>, "oisf-users at lists.openinfosecfoundation.org" <oisf-users at lists.openinfosecfoundation.org>
Subject: RE: [Oisf-users] Can I run Suricata with AF_Packet inside container
 
Did you setup the interfaces within suricata.yaml in the af-packet section?  Set ips mode in that section?
 
See https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/.  It works.  We use and it works great as long as your rules are set to drop as the action.
 
From:oisf-users-bounces at lists.openinfosecfoundation.org [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Saxena, Samiksha
Sent: Friday, June 19, 2015 12:48 PM
To: oisf-users at lists.openinfosecfoundation.org
Subject: [Oisf-users] Can I run Suricata with AF_Packet inside container
 
Hi,
 
I want to run Suricata with AF_packet mode inside a docker container. I am having trouble with configuring the interfaces. Also, I ran a simple rule of dropping every TCP request, but seems like nothing is dropped.
 
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150619/aa3bf8f0/attachment-0002.html>


More information about the Oisf-users mailing list