[Oisf-users] Using Suricata with OpenBSD HA Firewalls
C. L. Martinez
carlopmart at gmail.com
Mon Nov 28 10:50:23 UTC 2016
Hi all,
I have installed Suricata 3.1.3 release in a pair of OpenBSD CARP'ed firewalls (for HA availability). My idea is to sniff/monitor only internal connections, but I have a doubt about what interface I need to configure for suricata. My first test was to sniff/monitor physical interface running suricata with -i switch, but I received a lot of alerts like these:
11/23/2016-15:43:31.527739 [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 74.125.206.109:587 -> 172.22.55.1:41040
11/23/2016-15:43:31.527767 [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 74.125.206.108:587 -> 172.22.55.1:38884
11/23/2016-15:43:31.563236 [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 74.125.206.109:587 -> 172.22.55.1:41044
11/23/2016-15:43:41.353930 [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 74.125.206.109:587 -> 172.22.55.1:41048
11/23/2016-15:43:41.353952 [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 74.125.206.109:587 -> 172.22.55.1:41046
.. which it is certainly true, because these OpenBSD firewalls are configured to balance traffic ... Changing to use carp interfaces, no alert is triggered but suricata sees packets:
28/11/2016 -- 08:08:34 - <Notice> - all 3 packet processing threads, 4 management threads initialized, engine started.
28/11/2016 -- 10:19:29 - <Notice> - Signal Received. Stopping engine.
28/11/2016 -- 10:19:30 - <Info> - time elapsed 7855.809s
28/11/2016 -- 10:19:31 - <Info> - (W#01-carp0) Packets 55962, bytes 6297178
28/11/2016 -- 10:19:31 - <Info> - (W#01-carp0) Pcap Total:55962 Recv:55962 Drop:0 (0.0%).
28/11/2016 -- 10:19:31 - <Info> - (W#01-carp3) Packets 2, bytes 84
28/11/2016 -- 10:19:31 - <Info> - (W#01-carp3) Pcap Total:2 Recv:2 Drop:0 (0.0%).
28/11/2016 -- 10:19:31 - <Info> - (W#01-carp5) Packets 2, bytes 84
28/11/2016 -- 10:19:31 - <Info> - (W#01-carp5) Pcap Total:2 Recv:2 Drop:0 (0.0%).
28/11/2016 -- 10:19:31 - <Info> - cleaning up signature grouping structure... complete
28/11/2016 -- 10:19:31 - <Notice> - Stats for 'carp0': pkts: 55962, drop: 0 (0.00%), invalid chksum: 0
28/11/2016 -- 10:19:31 - <Notice> - Stats for 'carp3': pkts: 2, drop: 0 (0.00%), invalid chksum: 0
28/11/2016 -- 10:19:31 - <Notice> - Stats for 'carp5': pkts: 2, drop: 0 (0.00%), invalid chksum: 0
Arrived to this point, I am not sure what interface I need to configure under Suricata. Any idea or tip?
Thanks
--
Greetings,
C. L. Martinez
More information about the Oisf-users
mailing list