[Oisf-users] suricata vlan log - onionsecurity is ok, selks ko

Peter Manev petermanev at gmail.com
Mon Mar 2 10:20:20 UTC 2015 

On Mon, Mar 2, 2015 at 11:04 AM, john nesh <john.nesh76 at gmail.com> wrote:
> Hi Peter,
>
> suricata --dump-config |grep vlan
> vlan = (null)
> vlan.use-for-tracking = true
>
> after using suricata this way:
> suricata -c /etc/suricata/suricata.yaml -s /etc/suricata/rules/scirius.rules
> -r capture.pcap --runmode autofp
>
> I do normally use workers for runmode but for file pcap needs autofp.
>
> grep vlan /var/log/suricata/stats.log | tail -10
>
> decoder.vlan              | AFPacketeth01             | 0
> decoder.vlan_qinq         | AFPacketeth01             | 0
> decoder.vlan              | AFPacketeth11             | 0
> decoder.vlan_qinq         | AFPacketeth11             | 0
> decoder.vlan              | AFPacketeth01             | 0
> decoder.vlan_qinq         | AFPacketeth01             | 0
> decoder.vlan              | AFPacketeth11             | 0
> decoder.vlan_qinq         | AFPacketeth11             | 0
> decoder.vlan              | ReceivePcapFile           | 32519
> decoder.vlan_qinq         | ReceivePcapFile           | 0
>
> seems working for filemode.
>
> Thank you for your support

Would it be possible for you to share privately a pcap where i would
be able to reproduce the issue (it might be suri 2.1beta3 related
only).

Thank you

>
> John
>
>
> 2015-03-01 16:30 GMT+01:00 Peter Manev <petermanev at gmail.com>:
>>
>> On Fri, Feb 27, 2015 at 3:40 PM, john nesh <john.nesh76 at gmail.com> wrote:
>> > Seems not:
>> > grep vlan stats.log | tail -10
>> > decoder.vlan              | AFPacketeth11             | 0
>> > decoder.vlan_qinq         | AFPacketeth11             | 0
>> > decoder.vlan              | AFPacketeth01             | 0
>> > decoder.vlan_qinq         | AFPacketeth01             | 0
>> > decoder.vlan              | AFPacketeth11             | 0
>> > decoder.vlan_qinq         | AFPacketeth11             | 0
>> > decoder.vlan              | AFPacketeth01             | 0
>> > decoder.vlan_qinq         | AFPacketeth01             | 0
>> > decoder.vlan              | AFPacketeth11             | 0
>> > decoder.vlan_qinq         | AFPacketeth11             | 0
>> >
>>
>> interesting....Suricata does not see any vlans
>>
>> > and:
>> > suricata --dump-counters | grep vlan
>> > suricata: unrecognized option '--dump-counters'
>>
>> I wrote the command wrong, sorry:
>> suricata --dump-config |grep vlan
>>
>>
>> >
>> > in tcpdump I do see:
>> > 802.1q Virtual LAN, PRI:0, CFI: 0, ID: 503
>> > 802.1q Virtual LAN, PRI:0, CFI: 0, ID: 241
>>
>> If you run a pcap from the tcpdump through suricata (-r) - would you
>> see the vlan counters in stats.log increasing (and that reflected in
>> the eve.json)?
>> I tried to replicate your problem - unsuccessfully however.
>>
>> Thank you
>>
>> >
>> > I do see:
>> > ethtool -k eth1
>> > Features for eth1:
>> > rx-checksumming: off
>> > tx-checksumming: off
>> >         tx-checksum-ipv4: off
>> >         tx-checksum-unneeded: off [fixed]
>> >         tx-checksum-ip-generic: off [fixed]
>> >         tx-checksum-ipv6: off
>> >         tx-checksum-fcoe-crc: off [fixed]
>> >         tx-checksum-sctp: off [fixed]
>> > scatter-gather: off
>> >         tx-scatter-gather: off
>> >         tx-scatter-gather-fraglist: off [fixed]
>> > tcp-segmentation-offload: off
>> >         tx-tcp-segmentation: off
>> >         tx-tcp-ecn-segmentation: off
>> >         tx-tcp6-segmentation: off
>> > udp-fragmentation-offload: off [fixed]
>> > generic-segmentation-offload: off
>> > generic-receive-offload: off
>> > large-receive-offload: off [fixed]
>> > rx-vlan-offload: off
>> > tx-vlan-offload: off
>> > ntuple-filters: off [fixed]
>> > receive-hashing: off [fixed]
>> > highdma: on
>> > rx-vlan-filter: off [fixed]
>> > vlan-challenged: off [fixed]
>> > tx-lockless: off [fixed]
>> > netns-local: off [fixed]
>> > tx-gso-robust: off [fixed]
>> > tx-fcoe-segmentation: off [fixed]
>> > fcoe-mtu: off [fixed]
>> > tx-nocache-copy: on
>> > loopback: off [fixed]
>> >
>> > In suricata.yaml:
>> > vlan:
>> >   use-for-tracking: true
>> >
>> >
>> > 2015-02-27 10:46 GMT+01:00 Peter Manev <petermanev at gmail.com>:
>> >>
>> >> On Fri, Feb 27, 2015 at 9:11 AM, john nesh <john.nesh76 at gmail.com>
>> >> wrote:
>> >> > Nope, I think that this is the issue.
>> >> > What could I share in order to get troubleshooting faster?
>> >>
>> >> Can you try to see(just to confirm) if there are any vlan counters in
>> >> the stats.log (something like..)
>> >> grep vlan stats.log | tail -10
>> >>
>> >> Then could you do
>> >> suricata --dump-counters |grep vlan
>> >>
>> >>
>> >> Thanks
>> >>
>> >> >
>> >> > 2015-02-26 23:37 GMT+01:00 Peter Manev <petermanev at gmail.com>:
>> >> >>
>> >> >> On Thu, Feb 26, 2015 at 10:51 PM, john nesh <john.nesh76 at gmail.com>
>> >> >> wrote:
>> >> >> > Seems not working also in this way.
>> >> >> > Is there anything else I could check?
>> >> >>
>> >> >> Do you have vlan IDs in eve.json ?
>> >> >>
>> >> >> >
>> >> >> > 2015-02-26 21:53 GMT+01:00 Peter Manev <petermanev at gmail.com>:
>> >> >> >>
>> >> >> >> On Thu, Feb 26, 2015 at 9:43 PM, john nesh
>> >> >> >> <john.nesh76 at gmail.com>
>> >> >> >> wrote:
>> >> >> >> > You are right,
>> >> >> >> >
>> >> >> >> > rx-vlan-offload: on
>> >> >> >> > tx-vlan-offload: on
>> >> >> >> >
>> >> >> >> > Do I have to disable it?
>> >> >> >>
>> >> >> >> Just run that -
>> >> >> >>
>> >> >> >> /opt/selks/Scripts/Setup/reconfigure-listening-interface_stamus.sh
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >> >
>> >> >> >> > 2015-02-26 21:04 GMT+01:00 Peter Manev <petermanev at gmail.com>:
>> >> >> >> >>
>> >> >> >> >> On Thu, Feb 26, 2015 at 8:18 PM, john nesh
>> >> >> >> >> <john.nesh76 at gmail.com>
>> >> >> >> >> wrote:
>> >> >> >> >> > Hi,
>> >> >> >> >> >
>> >> >> >> >> > I am facing a different behaviour regarding vlans in logs.
>> >> >> >> >> > I made an installation of securityonion and vlan worked log
>> >> >> >> >> > in
>> >> >> >> >> > eve.json
>> >> >> >> >> > worked flawlessy but not in selks.
>> >> >> >> >> > I have read that vlan behaviour had changed in 2.1
>> >> >> >> >> >
>> >> >> >> >> > in my suricata.yaml I have:
>> >> >> >> >> >
>> >> >> >> >> >  vlan:
>> >> >> >> >> >    use-for-tracking: true
>> >> >> >> >> >
>> >> >> >> >> > But I have no log in eve.json.
>> >> >> >> >> > Is this an expected behaviour?
>> >> >> >> >>
>> >> >> >> >> You might have vlan offloading enabled on your NIC - if that
>> >> >> >> >> is
>> >> >> >> >> the
>> >> >> >> >> case you would need to disable it.
>> >> >> >> >> (ethtool -k interface - will show the status)
>> >> >> >> >>
>> >> >> >> >> >
>> >> >> >> >> > John
>> >> >> >> >> >
>> >> >> >> >> > _______________________________________________
>> >> >> >> >> > Suricata IDS Users mailing list:
>> >> >> >> >> > oisf-users at openinfosecfoundation.org
>> >> >> >> >> > Site: http://suricata-ids.org | Support:
>> >> >> >> >> > http://suricata-ids.org/support/
>> >> >> >> >> > List:
>> >> >> >> >> >
>> >> >> >> >> >
>> >> >> >> >> >
>> >> >> >> >> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >> >> >> >> > Training now available: http://suricata-ids.org/training/
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >> --
>> >> >> >> >> Regards,
>> >> >> >> >> Peter Manev
>> >> >> >> >
>> >> >> >> >
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >> --
>> >> >> >> Regards,
>> >> >> >> Peter Manev
>> >> >> >
>> >> >> >
>> >> >>
>> >> >>
>> >> >>
>> >> >> --
>> >> >> Regards,
>> >> >> Peter Manev
>> >> >
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Regards,
>> >> Peter Manev
>> >
>> >
>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>
>



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list