[Oisf-users] suricata inline

Chris Boley ilgtech75 at gmail.com
Sun Oct 23 22:41:44 UTC 2016 

Pardon.. sorry I wanted to chime in one more time.
In this scenario, the Xenserver GUI mentioned in the beginning of this
thread  uses / creates "networks"

When you create a network in the xenserver gui (from what I saw in tut
videos on youtube), it actually builds a vswitch and ties it to a Physical
NIC.

You can set that so that the outgoing frame is tagged with a vlan ID.
In this case when the physical nic which is connected to the physical
switch; the corresponding port would need to be a "tagged port" or "trunk"
(cisco speak).

Because of his complicated VM on xenserver scenario some questions need
answered:

Does he have a vHost running 'Single-Server Private Network'?
Or does he have vHost running an 'External network' where he's basically
created a vswitch directly tied to a physical nic.?

I did some studying on how xenserver's gui builds an 'External Network' It
does some config under the hood that ultimately might look a somewhat like
this:

In his case assuming he has 'External network' selected:
I think it would suffice to think of his first virtual interface(vlan9) as
making bridge in /etc/network/interfaces like so:
auto br0
iface br0 inet static
        address 0.0.0.0
        netmask 255.255.255.255
        bridge_ports eth1
        post-up vconfig add br0 9
        post-down brctl delbr br0

and his vlan 10 virtual interface

auto br1
iface br1 inet static
        address 0.0.0.0
        netmask 255.255.255.255
        bridge_ports eth2
        post-up vconfig add br1 10
        post-down brctl delbr br1

His Virtual machines are likely tied directly to the br0.9 and the br1.10
interfaces. A lot of assuming going on here on my part so bear with me.

In this case I would ask:
Does he have two virtual networks built? One 'vswitch1' for one side of his
bridge and another 'vswitch2' built for the other side of his bridge?
Does he have spanning tree protocol enabled on his vswitches? Does he have
it enabled on his physical managed switch? All these factors come into play
here. If he does, spanning tree protocol most assuredly is shutting down a
port somewhere to avoid a switching loop.

Whether he's using his old setup or the one I sent over to him, the
networking end has to work before we worry about how suricata will play
into this.

I'll shut up now I've rambled too much   =) Hopefully something here might
help.

Chris


On Sun, Oct 23, 2016 at 5:14 PM, Andreas Herz <andi at geekosphere.org> wrote:

> Hi,
>
> it looks like you tried to mix NFQ IPS mode with afpacket IPS mode.
>
> When I look in your iptables output from your first mail, it's obvious
> that you don't have any packets that go into the FORWARD chain. This
> means your network setup itself isn't working as you might want it to
> be.
>
> In your second mail/setup you say you see the ICMP requests working. Can
> you be more precise about how the ICMP traffic is going and do you see
> the packets within suricata?
>
> If the ICMP goes through suricata, but all the other protocols are
> dropped, do you see any drop messages from the suricata logs?
> Did you try to run it without any rules active?
>
> On 22/10/16 at 15:46, mostafa ammar wrote:
> > Dear All,
> >
> > I adjuste sirucata.yaml with the below configuration for eth2 and eth3
> and
> > using the command
> > sudo suricata -c ~/sirucata-3.`/sirucata.yaml --af--packet , ping is
> > working but all other protocols are dropped , any one have anidea what
> can
> > be such issue?
> > I am having the same issue with snort being inline for traffic , only
> ping
> > is passing and all other types of traffic is dropped.
> >
> >   - interface: eth2
> >     threads: 32
> >     defrag: yes
> >     cluster-type: cluster_flow
> >     cluster-id: 98
> >     copy-mode: ips
> >     copy-iface: eth3
> >     buffer-size: 64535
> >     use-mmap: yes
> >   - interface: eth3
> >     threads: 32
> >     cluster-id: 97
> >     defrag: yes
> >     cluster-type: cluster_flow
> >     copy-mode: ips
> >     copy-iface: eth2
> >     buffer-size: 64535
> >     use-mmap: yes
> >
> >
> > On Sat, Oct 22, 2016 at 11:15 AM, mostafa ammar <
> mostafaammar79 at gmail.com>
> > wrote:
> >
> > > Dear All,
> > >
> > > i installed suricata as a vm on xenserver hypervisor to work as inline
> ips
> > > between VM , I added 3 interfaces to VM ,one management and 2
> interfaces
> > > sensing , one in vlan 9 and another in vlan 10 (interface eth2,eth3)
> > >
> > > i installed suricata with NFqueue support and when running with
> > >  sudo suricata -c /home/ubuntu/suricata-3.1/suricata.yaml -q 0
> > > it runs successfully
> > > I added the following to /etc/network/interface
> > >
> > > auto eth2
> > > iface eth2 inet manual
> > >     up ifconfig eth2 0.0.0.0 up
> > >     up ip link set eth2 promisc on
> > >     post-up ethtool -K eth2 gro off
> > >     post-up ethtool -K eth2 lro off
> > >     down ip link set eth2 promisc off
> > >     down ifconfig eth2 down
> > >
> > > # Second Bridged Interface
> > > auto eth3
> > > iface eth3 inet manual
> > >     up ifconfig eth3 0.0.0.0 up
> > >     up ip link set eth3 promisc on
> > >     post-up ethtool -K eth3 gro off
> > >     post-up ethtool -K eth3 lro off
> > >     down ip link set eth3 promisc off
> > >     down ifconfig eth3 down
> > >
> > > and this is a snapshot of iptables
> > > ubuntu at ubuntu-HVM-domU:~$ sudo iptables -vnL
> > > Chain INPUT (policy ACCEPT 16525 packets, 15M bytes)
> > >  pkts bytes target     prot opt in     out     source
> > > destination
> > >     0     0 ACCEPT     all  --  eth2   *       0.0.0.0/0
> > > 0.0.0.0/0
> > >     0     0 ACCEPT     all  --  eth3   *       0.0.0.0/0
> > > 0.0.0.0/0
> > >     0     0 ACCEPT     all  --  eth2   *       0.0.0.0/0
> > > 0.0.0.0/0
> > >
> > > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> > >  pkts bytes target     prot opt in     out     source
> > > destination
> > >     0     0 NFQUEUE    all  --  eth3   eth2    0.0.0.0/0
> > > 0.0.0.0/0            NFQUEUE num 0
> > >     0     0 NFQUEUE    all  --  eth2   eth3    0.0.0.0/0
> > > 0.0.0.0/0            NFQUEUE num 0
> > >
> > >
> > > now i added 2 VMs one in vlan 9 and another in vlan 10 but ping is not
> > > working and i see no packets at eth3 with wireshark
> > >
> > > any help about that
> > >
>
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/
> support/
> > List: https://lists.openinfosecfoundation.org/
> mailman/listinfo/oisf-users
> > Suricata User Conference November 9-11 in Washington, DC:
> http://suricon.net
>
>
> --
> Andreas Herz
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://suricon.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161023/670d170b/attachment-0002.html>

More information about the Oisf-users mailing list