[Oisf-users] suricata vlan log - onionsecurity is ok, selks ko
john nesh
john.nesh76 at gmail.com
Mon Mar 2 10:04:47 UTC 2015
Hi Peter,
suricata --dump-config |grep vlan
vlan = (null)
vlan.use-for-tracking = true
after using suricata this way:
suricata -c /etc/suricata/suricata.yaml -s
/etc/suricata/rules/scirius.rules -r capture.pcap --runmode autofp
I do normally use workers for runmode but for file pcap needs autofp.
grep vlan /var/log/suricata/stats.log | tail -10
decoder.vlan | AFPacketeth01 | 0
decoder.vlan_qinq | AFPacketeth01 | 0
decoder.vlan | AFPacketeth11 | 0
decoder.vlan_qinq | AFPacketeth11 | 0
decoder.vlan | AFPacketeth01 | 0
decoder.vlan_qinq | AFPacketeth01 | 0
decoder.vlan | AFPacketeth11 | 0
decoder.vlan_qinq | AFPacketeth11 | 0
decoder.vlan | ReceivePcapFile | 32519
decoder.vlan_qinq | ReceivePcapFile | 0
seems working for filemode.
Thank you for your support
John
2015-03-01 16:30 GMT+01:00 Peter Manev <petermanev at gmail.com>:
> On Fri, Feb 27, 2015 at 3:40 PM, john nesh <john.nesh76 at gmail.com> wrote:
> > Seems not:
> > grep vlan stats.log | tail -10
> > decoder.vlan | AFPacketeth11 | 0
> > decoder.vlan_qinq | AFPacketeth11 | 0
> > decoder.vlan | AFPacketeth01 | 0
> > decoder.vlan_qinq | AFPacketeth01 | 0
> > decoder.vlan | AFPacketeth11 | 0
> > decoder.vlan_qinq | AFPacketeth11 | 0
> > decoder.vlan | AFPacketeth01 | 0
> > decoder.vlan_qinq | AFPacketeth01 | 0
> > decoder.vlan | AFPacketeth11 | 0
> > decoder.vlan_qinq | AFPacketeth11 | 0
> >
>
> interesting....Suricata does not see any vlans
>
> > and:
> > suricata --dump-counters | grep vlan
> > suricata: unrecognized option '--dump-counters'
>
> I wrote the command wrong, sorry:
> suricata --dump-config |grep vlan
>
>
> >
> > in tcpdump I do see:
> > 802.1q Virtual LAN, PRI:0, CFI: 0, ID: 503
> > 802.1q Virtual LAN, PRI:0, CFI: 0, ID: 241
>
> If you run a pcap from the tcpdump through suricata (-r) - would you
> see the vlan counters in stats.log increasing (and that reflected in
> the eve.json)?
> I tried to replicate your problem - unsuccessfully however.
>
> Thank you
>
> >
> > I do see:
> > ethtool -k eth1
> > Features for eth1:
> > rx-checksumming: off
> > tx-checksumming: off
> > tx-checksum-ipv4: off
> > tx-checksum-unneeded: off [fixed]
> > tx-checksum-ip-generic: off [fixed]
> > tx-checksum-ipv6: off
> > tx-checksum-fcoe-crc: off [fixed]
> > tx-checksum-sctp: off [fixed]
> > scatter-gather: off
> > tx-scatter-gather: off
> > tx-scatter-gather-fraglist: off [fixed]
> > tcp-segmentation-offload: off
> > tx-tcp-segmentation: off
> > tx-tcp-ecn-segmentation: off
> > tx-tcp6-segmentation: off
> > udp-fragmentation-offload: off [fixed]
> > generic-segmentation-offload: off
> > generic-receive-offload: off
> > large-receive-offload: off [fixed]
> > rx-vlan-offload: off
> > tx-vlan-offload: off
> > ntuple-filters: off [fixed]
> > receive-hashing: off [fixed]
> > highdma: on
> > rx-vlan-filter: off [fixed]
> > vlan-challenged: off [fixed]
> > tx-lockless: off [fixed]
> > netns-local: off [fixed]
> > tx-gso-robust: off [fixed]
> > tx-fcoe-segmentation: off [fixed]
> > fcoe-mtu: off [fixed]
> > tx-nocache-copy: on
> > loopback: off [fixed]
> >
> > In suricata.yaml:
> > vlan:
> > use-for-tracking: true
> >
> >
> > 2015-02-27 10:46 GMT+01:00 Peter Manev <petermanev at gmail.com>:
> >>
> >> On Fri, Feb 27, 2015 at 9:11 AM, john nesh <john.nesh76 at gmail.com>
> wrote:
> >> > Nope, I think that this is the issue.
> >> > What could I share in order to get troubleshooting faster?
> >>
> >> Can you try to see(just to confirm) if there are any vlan counters in
> >> the stats.log (something like..)
> >> grep vlan stats.log | tail -10
> >>
> >> Then could you do
> >> suricata --dump-counters |grep vlan
> >>
> >>
> >> Thanks
> >>
> >> >
> >> > 2015-02-26 23:37 GMT+01:00 Peter Manev <petermanev at gmail.com>:
> >> >>
> >> >> On Thu, Feb 26, 2015 at 10:51 PM, john nesh <john.nesh76 at gmail.com>
> >> >> wrote:
> >> >> > Seems not working also in this way.
> >> >> > Is there anything else I could check?
> >> >>
> >> >> Do you have vlan IDs in eve.json ?
> >> >>
> >> >> >
> >> >> > 2015-02-26 21:53 GMT+01:00 Peter Manev <petermanev at gmail.com>:
> >> >> >>
> >> >> >> On Thu, Feb 26, 2015 at 9:43 PM, john nesh <john.nesh76 at gmail.com
> >
> >> >> >> wrote:
> >> >> >> > You are right,
> >> >> >> >
> >> >> >> > rx-vlan-offload: on
> >> >> >> > tx-vlan-offload: on
> >> >> >> >
> >> >> >> > Do I have to disable it?
> >> >> >>
> >> >> >> Just run that -
> >> >> >> /opt/selks/Scripts/Setup/reconfigure-listening-interface_stamus.sh
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> >
> >> >> >> > 2015-02-26 21:04 GMT+01:00 Peter Manev <petermanev at gmail.com>:
> >> >> >> >>
> >> >> >> >> On Thu, Feb 26, 2015 at 8:18 PM, john nesh
> >> >> >> >> <john.nesh76 at gmail.com>
> >> >> >> >> wrote:
> >> >> >> >> > Hi,
> >> >> >> >> >
> >> >> >> >> > I am facing a different behaviour regarding vlans in logs.
> >> >> >> >> > I made an installation of securityonion and vlan worked log
> in
> >> >> >> >> > eve.json
> >> >> >> >> > worked flawlessy but not in selks.
> >> >> >> >> > I have read that vlan behaviour had changed in 2.1
> >> >> >> >> >
> >> >> >> >> > in my suricata.yaml I have:
> >> >> >> >> >
> >> >> >> >> > vlan:
> >> >> >> >> > use-for-tracking: true
> >> >> >> >> >
> >> >> >> >> > But I have no log in eve.json.
> >> >> >> >> > Is this an expected behaviour?
> >> >> >> >>
> >> >> >> >> You might have vlan offloading enabled on your NIC - if that is
> >> >> >> >> the
> >> >> >> >> case you would need to disable it.
> >> >> >> >> (ethtool -k interface - will show the status)
> >> >> >> >>
> >> >> >> >> >
> >> >> >> >> > John
> >> >> >> >> >
> >> >> >> >> > _______________________________________________
> >> >> >> >> > Suricata IDS Users mailing list:
> >> >> >> >> > oisf-users at openinfosecfoundation.org
> >> >> >> >> > Site: http://suricata-ids.org | Support:
> >> >> >> >> > http://suricata-ids.org/support/
> >> >> >> >> > List:
> >> >> >> >> >
> >> >> >> >> >
> >> >> >> >> >
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> >> >> >> > Training now available: http://suricata-ids.org/training/
> >> >> >> >>
> >> >> >> >>
> >> >> >> >>
> >> >> >> >> --
> >> >> >> >> Regards,
> >> >> >> >> Peter Manev
> >> >> >> >
> >> >> >> >
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> --
> >> >> >> Regards,
> >> >> >> Peter Manev
> >> >> >
> >> >> >
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Regards,
> >> >> Peter Manev
> >> >
> >> >
> >>
> >>
> >>
> >> --
> >> Regards,
> >> Peter Manev
> >
> >
>
>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150302/d954b19d/attachment-0002.html>
More information about the Oisf-users
mailing list