[Oisf-users] Suricata >3.0 to sniff bumped ssl traffic from squid

Peter Manev petermanev at gmail.com
Tue Sep 13 13:13:53 UTC 2016 

On Fri, Sep 9, 2016 at 11:30 PM, Petr Skovoroda <petrskovoroda at gmail.com> wrote:
> Hello,
>
> We seek your assistance in our project.
>
> We are building a router, which should provide a secure connection to any
> user. And we want IDS/IPS to inspect all kind of communications in our
> network: tor, i2p and direct.
> But we also want to inspect all ssl traffic. To do so, we use squid proxy
> with ssl-bump feature to perform mitm.
> All decrypted traffic goes to icap server, where it's being scanned by clam
> antivirus.
>
> To accomplish our goal, we are going to make Suricata listen on two
> interfaces:
>  -  On LAN Suricata is going to detect potentially bad traffic (incoming and
> outgoing), block attackers/compromised hosts, tor exit nodes, etc.
>  -  On localhost Suricata is supposed to scan icap port for bad content:
> browser/activex exploits, malware, attacks, etc.
>
> This will allow us to secure the entire network.
>
> So, the problem is, that for some reason Suricata >=3.1 is unable to listen
> on loopback in afp mode. When I run it with -i lo option, it dies with this
> messages:
> <Error> - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Frame size bigger than
> block size
> <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET
> socket, fatal error
>

You can listen on loopback with AFP -  the problem most likely is MTU
no the loopback (default could be 65536).
You can test/try like so  -

sudo ifconfig lo mtu 1522
then

suricata  --af-packet --set "af-packet.0.interface=lo" -vvv
[7344] 13/9/2016 -- 15:10:27 - (suricata.c:1086) <Notice>
(SCPrintVersion) -- This is Suricata version 3.1dev (rev ae11687)
....
....
[7344] 13/9/2016 -- 15:10:27 - (runmode-af-packet.c:428) <Perf>
(ParseAFPConfig) -- Using 8 AF_PACKET threads for interface lo
[7344] 13/9/2016 -- 15:10:27 - (util-ioctl.c:341) <Warning>
(GetIfaceOffloadingLinux) -- [ERRCODE: SC_ERR_NIC_OFFLOADING(284)] -
NIC offloading on lo: SG: SET,  GRO: unset, LRO: unset, TSO: unset,
GSO: unset. Run: ethtool -K lo sg off gro off lro off tso off gso off
[7344] 13/9/2016 -- 15:10:27 - (runmode-af-packet.c:458) <Warning>
(ParseAFPConfig) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Using
AF_PACKET with offloading activated leads to capture problems
[7344] 13/9/2016 -- 15:10:27 - (runmode-af-packet.c:480) <Config>
(ParseAFPConfig) -- lo: enabling zero copy mode by using data release
call
[7344] 13/9/2016 -- 15:10:27 - (util-runmodes.c:288) <Info>
(RunModeSetLiveCaptureWorkersForDevice) -- Going to use 8 thread(s)
[7344] 13/9/2016 -- 15:10:27 - (flow-manager.c:720) <Config>
(FlowManagerThreadSpawn) -- using 1 flow manager threads
[7344] 13/9/2016 -- 15:10:27 - (flow-manager.c:884) <Config>
(FlowRecyclerThreadSpawn) -- using 1 flow recycler threads
[7344] 13/9/2016 -- 15:10:27 - (tm-threads.c:2168) <Notice>
(TmThreadWaitOnThreadInit) -- all 8 packet processing threads, 4
management threads initialized, engine started.
[7345] 13/9/2016 -- 15:10:27 - (source-af-packet.c:1592) <Perf>
(AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768
block_nr=103 frame_size=1616 frame_nr=2060
[7346] 13/9/2016 -- 15:10:27 - (source-af-packet.c:1592) <Perf>
(AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768
block_nr=103 frame_size=1616 frame_nr=2060
[7347] 13/9/2016 -- 15:10:27 - (source-af-packet.c:1592) <Perf>
(AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768
block_nr=103 frame_size=1616 frame_nr=2060
[7348] 13/9/2016 -- 15:10:27 - (source-af-packet.c:1592) <Perf>
(AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768
block_nr=103 frame_size=1616 frame_nr=2060
[7349] 13/9/2016 -- 15:10:27 - (source-af-packet.c:1592) <Perf>
(AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768
block_nr=103 frame_size=1616 frame_nr=2060
[7350] 13/9/2016 -- 15:10:28 - (source-af-packet.c:1592) <Perf>
(AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768
block_nr=103 frame_size=1616 frame_nr=2060
[7351] 13/9/2016 -- 15:10:28 - (source-af-packet.c:1592) <Perf>
(AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768
block_nr=103 frame_size=1616 frame_nr=2060
[7352] 13/9/2016 -- 15:10:28 - (source-af-packet.c:1592) <Perf>
(AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768
block_nr=103 frame_size=1616 frame_nr=2060
[7352] 13/9/2016 -- 15:10:28 - (source-af-packet.c:476) <Info>
(AFPPeersListReachedInc) -- All AFP capture threads are running.



> Same configuration works fine with Suricata v3.0.0. I can actually sniff
> loopback and examine all the traffic on icap port.
> I checked blame on github, but couldn't find anything since 3.0 release.
>
> I want to ask, if it's actually possible?
> And if not, is there any other solution to scan decrypted traffic from squid
> with Suricata?
>
> --
> Best regards,
> Peter
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list