[Oisf-users] suricata inline

mostafa ammar mostafaammar79 at gmail.com
Sun Oct 23 19:08:48 UTC 2016 

Dear Chris,

thanks a lot for your reply,yes correctly I want to make a single broadcast
domain through IPS machine, so that all traffic is forced to pass through
IPS machine to reach its destination .

 I tried all your configuration , unfortunately it did not work.

currently when capturing on IPS machine I see traffic is not moving from
one interface to the other however all configuration are as stated any
trials suggested.

On Sun, Oct 23, 2016 at 3:39 AM, Chris Boley <ilgtech75 at gmail.com> wrote:

> I set up an IPS VM inline some time ago, but it was a little different
> than what you're attempting.
>
> You're trying to create a broadcast domain between vlan 9 and vlan 10
> which would otherwise be logically separated.
>
> I'll suggest this:
>
> iptables rules on your IPS VM:
>
> iptables -A FORWARD -j NFQUEUE
>
> iptables -I INPUT -i lo -j ACCEPT
> iptables -I INPUT -i eth0 -j ACCEPT
> iptables -A INPUT -j NFQUEUE
>
>
> SYSCTL...on your IPS VM
>
> root at suricata:/home/ipsadmin# sysctl -a | grep net.bridge
>
> >>>>  net.bridge.bridge-nf-filter-vlan-tagged = 1
>
>  << your vswitch might be doing something really strange with traffic
> going back and forth to your virtual interfaces. Your traffic might be have
> problems being properly read as it's crossing through the xenserver
> vswitch. I can't speak for how the vswitch handles that. The
> net.bridge.bridge-nf-filter-vlan-tagged = 1 setting allows the bridge to
> strip vlan tags and send to iptables without the vlan tag. Then the traffic
> can be read by netfilter(NFQUEUE) and pushed into suricata for inspection.
> If you are for example scanning over a dot1q link, like a "trunk" between
> cisco switches, the IPS won't work unless you're making that sysctl change.
> It just can't see the vlan tagged traffic.
>
> Make sure to go ahead and try moving that setting to a "1" by default it
> is a "0" it won't bother any of the other functionality of your VM anyway.
>
> A very simple test interfaces file inside your IPS VM:
>
> auto lo
> iface lo inet loopback
>
> auto eth0
> iface eth0 inet static
>         address x.x.x.x
>         netmask x.x.x.x
>         gateway x.x.x.x
>
> auto eth2
> iface eth2 inet manual
>    post-up ifconfig $IFACE up
>    pre-down ifconfig $IFACE down
>
> auto eth3
> iface eth3 inet manual
>    post-up ifconfig $IFACE up
>    pre-down ifconfig $IFACE down
>
>
> auto br0
> iface br0 inet static
>         address 0.0.0.0
>         netmask 255.255.255.255
>         bridge_ports eth1 eth2
>         bridge_stp off
>         post-down brctl delbr br0
>
> Then
> A simple test suricata startup without all the interface copy stuff you
> had in there before.
> sudo suricata -q 0 -c /etc/suricata/suricata.yaml
>
> I might be wrong but I think this will get you really close to allowing
> those two devices to pass traffic over the virtual linux bridge on that VM.
>
> I realize it's not the interface copy method. Apologies, I only desire to
> offer what I actually do understand to help you with a solution.
>
>
>
> On Sat, Oct 22, 2016 at 9:46 AM, mostafa ammar <mostafaammar79 at gmail.com>
> wrote:
>
>> Dear All,
>>
>> I adjuste sirucata.yaml with the below configuration for eth2 and eth3
>> and using the command
>> sudo suricata -c ~/sirucata-3.`/sirucata.yaml --af--packet , ping is
>> working but all other protocols are dropped , any one have anidea what can
>> be such issue?
>> I am having the same issue with snort being inline for traffic , only
>> ping is passing and all other types of traffic is dropped.
>>
>>   - interface: eth2
>>     threads: 32
>>     defrag: yes
>>     cluster-type: cluster_flow
>>     cluster-id: 98
>>     copy-mode: ips
>>     copy-iface: eth3
>>     buffer-size: 64535
>>     use-mmap: yes
>>   - interface: eth3
>>     threads: 32
>>     cluster-id: 97
>>     defrag: yes
>>     cluster-type: cluster_flow
>>     copy-mode: ips
>>     copy-iface: eth2
>>     buffer-size: 64535
>>     use-mmap: yes
>>
>>
>> On Sat, Oct 22, 2016 at 11:15 AM, mostafa ammar <mostafaammar79 at gmail.com
>> > wrote:
>>
>>> Dear All,
>>>
>>> i installed suricata as a vm on xenserver hypervisor to work as inline
>>> ips between VM , I added 3 interfaces to VM ,one management and 2
>>> interfaces sensing , one in vlan 9 and another in vlan 10 (interface
>>> eth2,eth3)
>>>
>>> i installed suricata with NFqueue support and when running with
>>>  sudo suricata -c /home/ubuntu/suricata-3.1/suricata.yaml -q 0
>>> it runs successfully
>>> I added the following to /etc/network/interface
>>>
>>> auto eth2
>>> iface eth2 inet manual
>>>     up ifconfig eth2 0.0.0.0 up
>>>     up ip link set eth2 promisc on
>>>     post-up ethtool -K eth2 gro off
>>>     post-up ethtool -K eth2 lro off
>>>     down ip link set eth2 promisc off
>>>     down ifconfig eth2 down
>>>
>>> # Second Bridged Interface
>>> auto eth3
>>> iface eth3 inet manual
>>>     up ifconfig eth3 0.0.0.0 up
>>>     up ip link set eth3 promisc on
>>>     post-up ethtool -K eth3 gro off
>>>     post-up ethtool -K eth3 lro off
>>>     down ip link set eth3 promisc off
>>>     down ifconfig eth3 down
>>>
>>> and this is a snapshot of iptables
>>> ubuntu at ubuntu-HVM-domU:~$ sudo iptables -vnL
>>> Chain INPUT (policy ACCEPT 16525 packets, 15M bytes)
>>>  pkts bytes target     prot opt in     out     source
>>> destination
>>>     0     0 ACCEPT     all  --  eth2   *       0.0.0.0/0
>>> 0.0.0.0/0
>>>     0     0 ACCEPT     all  --  eth3   *       0.0.0.0/0
>>> 0.0.0.0/0
>>>     0     0 ACCEPT     all  --  eth2   *       0.0.0.0/0
>>> 0.0.0.0/0
>>>
>>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>>>  pkts bytes target     prot opt in     out     source
>>> destination
>>>     0     0 NFQUEUE    all  --  eth3   eth2    0.0.0.0/0
>>> 0.0.0.0/0            NFQUEUE num 0
>>>     0     0 NFQUEUE    all  --  eth2   eth3    0.0.0.0/0
>>> 0.0.0.0/0            NFQUEUE num 0
>>>
>>>
>>> now i added 2 VMs one in vlan 9 and another in vlan 10 but ping is not
>>> working and i see no packets at eth3 with wireshark
>>>
>>> any help about that
>>>
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC:
>> http://suricon.net
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161023/11f901fd/attachment-0005.html>

More information about the Oisf-users mailing list