[Oisf-users] suricata inline
Andreas Herz
andi at geekosphere.org
Sun Oct 23 21:14:04 UTC 2016
Hi,
it looks like you tried to mix NFQ IPS mode with afpacket IPS mode.
When I look in your iptables output from your first mail, it's obvious
that you don't have any packets that go into the FORWARD chain. This
means your network setup itself isn't working as you might want it to
be.
In your second mail/setup you say you see the ICMP requests working. Can
you be more precise about how the ICMP traffic is going and do you see
the packets within suricata?
If the ICMP goes through suricata, but all the other protocols are
dropped, do you see any drop messages from the suricata logs?
Did you try to run it without any rules active?
On 22/10/16 at 15:46, mostafa ammar wrote:
> Dear All,
>
> I adjuste sirucata.yaml with the below configuration for eth2 and eth3 and
> using the command
> sudo suricata -c ~/sirucata-3.`/sirucata.yaml --af--packet , ping is
> working but all other protocols are dropped , any one have anidea what can
> be such issue?
> I am having the same issue with snort being inline for traffic , only ping
> is passing and all other types of traffic is dropped.
>
> - interface: eth2
> threads: 32
> defrag: yes
> cluster-type: cluster_flow
> cluster-id: 98
> copy-mode: ips
> copy-iface: eth3
> buffer-size: 64535
> use-mmap: yes
> - interface: eth3
> threads: 32
> cluster-id: 97
> defrag: yes
> cluster-type: cluster_flow
> copy-mode: ips
> copy-iface: eth2
> buffer-size: 64535
> use-mmap: yes
>
>
> On Sat, Oct 22, 2016 at 11:15 AM, mostafa ammar <mostafaammar79 at gmail.com>
> wrote:
>
> > Dear All,
> >
> > i installed suricata as a vm on xenserver hypervisor to work as inline ips
> > between VM , I added 3 interfaces to VM ,one management and 2 interfaces
> > sensing , one in vlan 9 and another in vlan 10 (interface eth2,eth3)
> >
> > i installed suricata with NFqueue support and when running with
> > sudo suricata -c /home/ubuntu/suricata-3.1/suricata.yaml -q 0
> > it runs successfully
> > I added the following to /etc/network/interface
> >
> > auto eth2
> > iface eth2 inet manual
> > up ifconfig eth2 0.0.0.0 up
> > up ip link set eth2 promisc on
> > post-up ethtool -K eth2 gro off
> > post-up ethtool -K eth2 lro off
> > down ip link set eth2 promisc off
> > down ifconfig eth2 down
> >
> > # Second Bridged Interface
> > auto eth3
> > iface eth3 inet manual
> > up ifconfig eth3 0.0.0.0 up
> > up ip link set eth3 promisc on
> > post-up ethtool -K eth3 gro off
> > post-up ethtool -K eth3 lro off
> > down ip link set eth3 promisc off
> > down ifconfig eth3 down
> >
> > and this is a snapshot of iptables
> > ubuntu at ubuntu-HVM-domU:~$ sudo iptables -vnL
> > Chain INPUT (policy ACCEPT 16525 packets, 15M bytes)
> > pkts bytes target prot opt in out source
> > destination
> > 0 0 ACCEPT all -- eth2 * 0.0.0.0/0
> > 0.0.0.0/0
> > 0 0 ACCEPT all -- eth3 * 0.0.0.0/0
> > 0.0.0.0/0
> > 0 0 ACCEPT all -- eth2 * 0.0.0.0/0
> > 0.0.0.0/0
> >
> > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> > pkts bytes target prot opt in out source
> > destination
> > 0 0 NFQUEUE all -- eth3 eth2 0.0.0.0/0
> > 0.0.0.0/0 NFQUEUE num 0
> > 0 0 NFQUEUE all -- eth2 eth3 0.0.0.0/0
> > 0.0.0.0/0 NFQUEUE num 0
> >
> >
> > now i added 2 VMs one in vlan 9 and another in vlan 10 but ping is not
> > working and i see no packets at eth3 with wireshark
> >
> > any help about that
> >
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
--
Andreas Herz
More information about the Oisf-users
mailing list