[Oisf-users] suricata inline

mostafa ammar mostafaammar79 at gmail.com
Sat Oct 22 13:46:21 UTC 2016 

Dear All,

I adjuste sirucata.yaml with the below configuration for eth2 and eth3 and
using the command
sudo suricata -c ~/sirucata-3.`/sirucata.yaml --af--packet , ping is
working but all other protocols are dropped , any one have anidea what can
be such issue?
I am having the same issue with snort being inline for traffic , only ping
is passing and all other types of traffic is dropped.

  - interface: eth2
    threads: 32
    defrag: yes
    cluster-type: cluster_flow
    cluster-id: 98
    copy-mode: ips
    copy-iface: eth3
    buffer-size: 64535
    use-mmap: yes
  - interface: eth3
    threads: 32
    cluster-id: 97
    defrag: yes
    cluster-type: cluster_flow
    copy-mode: ips
    copy-iface: eth2
    buffer-size: 64535
    use-mmap: yes


On Sat, Oct 22, 2016 at 11:15 AM, mostafa ammar <mostafaammar79 at gmail.com>
wrote:

> Dear All,
>
> i installed suricata as a vm on xenserver hypervisor to work as inline ips
> between VM , I added 3 interfaces to VM ,one management and 2 interfaces
> sensing , one in vlan 9 and another in vlan 10 (interface eth2,eth3)
>
> i installed suricata with NFqueue support and when running with
>  sudo suricata -c /home/ubuntu/suricata-3.1/suricata.yaml -q 0
> it runs successfully
> I added the following to /etc/network/interface
>
> auto eth2
> iface eth2 inet manual
>     up ifconfig eth2 0.0.0.0 up
>     up ip link set eth2 promisc on
>     post-up ethtool -K eth2 gro off
>     post-up ethtool -K eth2 lro off
>     down ip link set eth2 promisc off
>     down ifconfig eth2 down
>
> # Second Bridged Interface
> auto eth3
> iface eth3 inet manual
>     up ifconfig eth3 0.0.0.0 up
>     up ip link set eth3 promisc on
>     post-up ethtool -K eth3 gro off
>     post-up ethtool -K eth3 lro off
>     down ip link set eth3 promisc off
>     down ifconfig eth3 down
>
> and this is a snapshot of iptables
> ubuntu at ubuntu-HVM-domU:~$ sudo iptables -vnL
> Chain INPUT (policy ACCEPT 16525 packets, 15M bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 ACCEPT     all  --  eth2   *       0.0.0.0/0
> 0.0.0.0/0
>     0     0 ACCEPT     all  --  eth3   *       0.0.0.0/0
> 0.0.0.0/0
>     0     0 ACCEPT     all  --  eth2   *       0.0.0.0/0
> 0.0.0.0/0
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 NFQUEUE    all  --  eth3   eth2    0.0.0.0/0
> 0.0.0.0/0            NFQUEUE num 0
>     0     0 NFQUEUE    all  --  eth2   eth3    0.0.0.0/0
> 0.0.0.0/0            NFQUEUE num 0
>
>
> now i added 2 VMs one in vlan 9 and another in vlan 10 but ping is not
> working and i see no packets at eth3 with wireshark
>
> any help about that
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161022/98528222/attachment-0002.html>

More information about the Oisf-users mailing list