[Oisf-users] Suricata in-line af-packet appears to be messing with RADIUS from my APs

Dylan B. Walter DBWalter at goodwilleasterseals.org
Wed May 31 16:33:06 UTC 2017 

Eric,

I set defrag to no for both interfaces and that appears to have resolved the issue.  It appears your tutorial is what I used originally. https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/ I'm guessing defrag no is a change since 2012?  I'm still trying to understand what that does.

Dylan

-----Original Message-----
From: Dylan B. Walter 
Sent: Wednesday, May 31, 2017 10:51 AM
To: 'Eric Leblond' <eric at regit.org>; oisf-users at lists.openinfosecfoundation.org
Subject: RE: [Oisf-users] Suricata in-line af-packet appears to be messing with RADIUS from my APs

Eric,

Thanks for the response, I appreciate your help.  I do have defrag on, so I'll try shutting that off.  Below is my af-packet config:

af-packet:
  - interface: enp0s20f0
    threads: auto
    cluster-id: 99
    cluster-type: cluster_flow
    defrag: yes
    use-mmap: yes
    copy-mode: ips
    copy-iface: enp0s20f1

  - interface: enp0s20f1
    threads: auto
    cluster-id: 98
    cluster-type: cluster_flow
    defrag: yes
    use-mmap: yes
    copy-mode: ips
    copy-iface: enp0s20f0

I'm assuming making use of the patch you referenced would require replacing the binary package with a compiled version?  I'm not very experienced in manual patching in the *nix world.

Chris thanks for your response as well.  I am seeing traffic for all vlans and have iptables wide-open so I don't think that's the issue.

-----Original Message-----
From: Eric Leblond [mailto:eric at regit.org]
Sent: Tuesday, May 30, 2017 6:53 PM
To: Dylan B. Walter <DBWalter at goodwilleasterseals.org>; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata in-line af-packet appears to be messing with RADIUS from my APs

Hello,

On Tue, 2017-05-30 at 21:35 +0000, Dylan B. Walter wrote:
>  This message was sent securely using ZixCorp.
> 
> Hi,
>  
> First time poster here.  I have Suricata in-line running in af-packet 
> mode using the binary packages in the apt repository, IP tables 
> completely empty on Ubuntu 16.04, fully patched.  It sits between my 
> router and switch on an 802.1q trunk.  All services work fine for 
> wired clients on all 4 VLANs.  Radius logons work to my cisco catalyst 
> switch (UDP 1645 auth/1646 accounting), but my Meraki WAP’s radius 
> fails (UDP 1812-auth).  If I disable Suricata and flip my inline pair 
> to a bridge it works just fine.  I considered that maybe it was just
> 1812 and switched the Meraki’s to use 1645, same behavior.  If I 
> capture packets from the IPS, from the perimeter router, from the core 
> firewall, and from the RADIUS server itself it looks the same:
>  
> Access-Request WAP->Radius Server
> Access-Challenge Radius Server->WAP
> Access-Request WAP->Radius Server
> Access-Challenge Radius Server->WAP (fragmented and re-assembled)
>  
> What’s weird is I see nothing in fast.log or drop.log referencing my 
> AP’s IP, nor my Radius server so one would think that means it’s not 
> acting on it, but the problem goes away when it’s bypassed.
>  
> I can included sanitized config snippets if that’s helpful?

Yes, could you paste the af-packet of your suricata.yaml config ?

Main problem can be with defrag option in af-packet which has to be set to no.

Also there is a problem in some cases that is be addressed by the following code:
https://github.com/regit/suricata/tree/misc-20170510-v3
In particular this is fixing https://redmine.openinfosecfoundation.org/
issues/2099

It would be really nice if you could give a try to this branch.

BR,
--
Eric




-------------------------------------------------------------------------
This message was secured by ZixCorp(R).

More information about the Oisf-users mailing list