[Oisf-users] suricata inline

Chris Boley ilgtech75 at gmail.com
Sun Oct 23 19:58:40 UTC 2016 

Hi, what's the output of iptables -nvL ? Is the FORWARD rule incrementing
any data?

On Sunday, October 23, 2016, mostafa ammar <mostafaammar79 at gmail.com> wrote:

> Dear Chris,
>
> thanks a lot for your reply,yes correctly I want to make a single
> broadcast domain through IPS machine, so that all traffic is forced to pass
> through IPS machine to reach its destination .
>
>  I tried all your configuration , unfortunately it did not work.
>
> currently when capturing on IPS machine I see traffic is not moving from
> one interface to the other however all configuration are as stated any
> trials suggested.
>
> On Sun, Oct 23, 2016 at 3:39 AM, Chris Boley <ilgtech75 at gmail.com
> <javascript:_e(%7B%7D,'cvml','ilgtech75 at gmail.com');>> wrote:
>
>> I set up an IPS VM inline some time ago, but it was a little different
>> than what you're attempting.
>>
>> You're trying to create a broadcast domain between vlan 9 and vlan 10
>> which would otherwise be logically separated.
>>
>> I'll suggest this:
>>
>> iptables rules on your IPS VM:
>>
>> iptables -A FORWARD -j NFQUEUE
>>
>> iptables -I INPUT -i lo -j ACCEPT
>> iptables -I INPUT -i eth0 -j ACCEPT
>> iptables -A INPUT -j NFQUEUE
>>
>>
>> SYSCTL...on your IPS VM
>>
>> root at suricata:/home/ipsadmin# sysctl -a | grep net.bridge
>>
>> >>>>  net.bridge.bridge-nf-filter-vlan-tagged = 1
>>
>>  << your vswitch might be doing something really strange with traffic
>> going back and forth to your virtual interfaces. Your traffic might be have
>> problems being properly read as it's crossing through the xenserver
>> vswitch. I can't speak for how the vswitch handles that. The
>> net.bridge.bridge-nf-filter-vlan-tagged = 1 setting allows the bridge to
>> strip vlan tags and send to iptables without the vlan tag. Then the traffic
>> can be read by netfilter(NFQUEUE) and pushed into suricata for inspection.
>> If you are for example scanning over a dot1q link, like a "trunk" between
>> cisco switches, the IPS won't work unless you're making that sysctl change.
>> It just can't see the vlan tagged traffic.
>>
>> Make sure to go ahead and try moving that setting to a "1" by default it
>> is a "0" it won't bother any of the other functionality of your VM anyway.
>>
>> A very simple test interfaces file inside your IPS VM:
>>
>> auto lo
>> iface lo inet loopback
>>
>> auto eth0
>> iface eth0 inet static
>>         address x.x.x.x
>>         netmask x.x.x.x
>>         gateway x.x.x.x
>>
>> auto eth2
>> iface eth2 inet manual
>>    post-up ifconfig $IFACE up
>>    pre-down ifconfig $IFACE down
>>
>> auto eth3
>> iface eth3 inet manual
>>    post-up ifconfig $IFACE up
>>    pre-down ifconfig $IFACE down
>>
>>
>> auto br0
>> iface br0 inet static
>>         address 0.0.0.0
>>         netmask 255.255.255.255
>>         bridge_ports eth1 eth2
>>         bridge_stp off
>>         post-down brctl delbr br0
>>
>> Then
>> A simple test suricata startup without all the interface copy stuff you
>> had in there before.
>> sudo suricata -q 0 -c /etc/suricata/suricata.yaml
>>
>> I might be wrong but I think this will get you really close to allowing
>> those two devices to pass traffic over the virtual linux bridge on that VM.
>>
>> I realize it's not the interface copy method. Apologies, I only desire to
>> offer what I actually do understand to help you with a solution.
>>
>>
>>
>> On Sat, Oct 22, 2016 at 9:46 AM, mostafa ammar <mostafaammar79 at gmail.com
>> <javascript:_e(%7B%7D,'cvml','mostafaammar79 at gmail.com');>> wrote:
>>
>>> Dear All,
>>>
>>> I adjuste sirucata.yaml with the below configuration for eth2 and eth3
>>> and using the command
>>> sudo suricata -c ~/sirucata-3.`/sirucata.yaml --af--packet , ping is
>>> working but all other protocols are dropped , any one have anidea what can
>>> be such issue?
>>> I am having the same issue with snort being inline for traffic , only
>>> ping is passing and all other types of traffic is dropped.
>>>
>>>   - interface: eth2
>>>     threads: 32
>>>     defrag: yes
>>>     cluster-type: cluster_flow
>>>     cluster-id: 98
>>>     copy-mode: ips
>>>     copy-iface: eth3
>>>     buffer-size: 64535
>>>     use-mmap: yes
>>>   - interface: eth3
>>>     threads: 32
>>>     cluster-id: 97
>>>     defrag: yes
>>>     cluster-type: cluster_flow
>>>     copy-mode: ips
>>>     copy-iface: eth2
>>>     buffer-size: 64535
>>>     use-mmap: yes
>>>
>>>
>>> On Sat, Oct 22, 2016 at 11:15 AM, mostafa ammar <
>>> mostafaammar79 at gmail.com
>>> <javascript:_e(%7B%7D,'cvml','mostafaammar79 at gmail.com');>> wrote:
>>>
>>>> Dear All,
>>>>
>>>> i installed suricata as a vm on xenserver hypervisor to work as inline
>>>> ips between VM , I added 3 interfaces to VM ,one management and 2
>>>> interfaces sensing , one in vlan 9 and another in vlan 10 (interface
>>>> eth2,eth3)
>>>>
>>>> i installed suricata with NFqueue support and when running with
>>>>  sudo suricata -c /home/ubuntu/suricata-3.1/suricata.yaml -q 0
>>>> it runs successfully
>>>> I added the following to /etc/network/interface
>>>>
>>>> auto eth2
>>>> iface eth2 inet manual
>>>>     up ifconfig eth2 0.0.0.0 up
>>>>     up ip link set eth2 promisc on
>>>>     post-up ethtool -K eth2 gro off
>>>>     post-up ethtool -K eth2 lro off
>>>>     down ip link set eth2 promisc off
>>>>     down ifconfig eth2 down
>>>>
>>>> # Second Bridged Interface
>>>> auto eth3
>>>> iface eth3 inet manual
>>>>     up ifconfig eth3 0.0.0.0 up
>>>>     up ip link set eth3 promisc on
>>>>     post-up ethtool -K eth3 gro off
>>>>     post-up ethtool -K eth3 lro off
>>>>     down ip link set eth3 promisc off
>>>>     down ifconfig eth3 down
>>>>
>>>> and this is a snapshot of iptables
>>>> ubuntu at ubuntu-HVM-domU:~$ sudo iptables -vnL
>>>> Chain INPUT (policy ACCEPT 16525 packets, 15M bytes)
>>>>  pkts bytes target     prot opt in     out     source
>>>> destination
>>>>     0     0 ACCEPT     all  --  eth2   *       0.0.0.0/0
>>>> 0.0.0.0/0
>>>>     0     0 ACCEPT     all  --  eth3   *       0.0.0.0/0
>>>> 0.0.0.0/0
>>>>     0     0 ACCEPT     all  --  eth2   *       0.0.0.0/0
>>>> 0.0.0.0/0
>>>>
>>>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>>>>  pkts bytes target     prot opt in     out     source
>>>> destination
>>>>     0     0 NFQUEUE    all  --  eth3   eth2    0.0.0.0/0
>>>> 0.0.0.0/0            NFQUEUE num 0
>>>>     0     0 NFQUEUE    all  --  eth2   eth3    0.0.0.0/0
>>>> 0.0.0.0/0            NFQUEUE num 0
>>>>
>>>>
>>>> now i added 2 VMs one in vlan 9 and another in vlan 10 but ping is not
>>>> working and i see no packets at eth3 with wireshark
>>>>
>>>> any help about that
>>>>
>>>
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> <javascript:_e(%7B%7D,'cvml','oisf-users at openinfosecfoundation.org');>
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/suppor
>>> t/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/ois
>>> f-users
>>> Suricata User Conference November 9-11 in Washington, DC:
>>> http://suricon.net
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161023/6db97286/attachment-0005.html>

More information about the Oisf-users mailing list