[Oisf-users] Suricata - vars and multiple interfaces
Davide Setti
d.setti at certego.net
Tue Aug 7 13:20:16 UTC 2018
Hi Victor,
I just tested a sample configuration against that PR on Ubuntu 16.04 LTS
and I got a strange error.
Here is my sample config (in shorts):
af-packet:
- interface: eno2
threads: 1
cluster-id: 91
cluster-type: cluster_flow
- interface: enp2s0f0
threads: 1
cluster-id: 92
cluster-type: cluster_flow
multi-detect:
enabled: yes
selector: device
loaders: 2
tenants:
- id: 1
yaml: eno1.yaml
- id: 2
yaml: enp2s0f0.yaml
mappings:
- device: eno2
tenant-id: 1
- device: enp2s0f0
tenant-id: 2
Whenever I test it with multi-detect enabled I got an error reporting that
mapping device does not esixts.
network-sensor suricata # *suricata -c suricata.yaml -T*
[11681] 7/8/2018 -- 12:56:53 - (suricata.c:1900) <Info> (ParseCommandLine)
-- Running suricata under test mode
[11681] 7/8/2018 -- 12:56:53 - (suricata.c:1084) <Notice> (LogVersion) --
This is Suricata version 4.1.0-dev (rev 7c884e0)
[11681] 7/8/2018 -- 12:56:53 - (detect-engine.c:2967) <Warning> (
DetectEngineMultiTenantSetupLoadLivedevMappings) -- [ERRCODE:
SC_ERR_MT_NO_MAPPING(271)] - device eno2 not found
[11681] 7/8/2018 -- 12:56:53 - (detect-engine.c:3148) <Error>
(DetectEngineMultiTenantSetup) -- [ERRCODE: SC_ERR_MT_NO_MAPPING(271)] - no
multi-detect mappings defined
[11681] 7/8/2018 -- 12:56:53 - (suricata.c:2572) <Error>
(PostConfLoadedDetectSetup) -- [ERRCODE: SC_ERR_INITIALIZATION(45)] -
initializing multi-detect detection engine contexts failed.
network-sensor suricata # *ip a | grep eno2 *
7: eno2: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
state UP group default qlen 1000
If I put *enp2s0f0* as first device in list I got the same error:
network-sensor suricata # *suricata -c suricata.yaml -T*
[6611] 7/8/2018 -- 12:51:12 - (suricata.c:1900) <Info> (ParseCommandLine)
-- Running suricata under test mode
[6611] 7/8/2018 -- 12:51:12 - (suricata.c:1084) <Notice> (LogVersion) --
This is Suricata version 4.1.0-dev (rev 7c884e0)
[6611] 7/8/2018 -- 12:51:12 - (detect-engine.c:2967) <Warning> (
DetectEngineMultiTenantSetupLoadLivedevMappings) -- [ERRCODE:
SC_ERR_MT_NO_MAPPING(271)] - device enp2s0f0 not found
[6611] 7/8/2018 -- 12:51:12 - (detect-engine.c:3148) <Error>
(DetectEngineMultiTenantSetup) -- [ERRCODE: SC_ERR_MT_NO_MAPPING(271)] - no
multi-detect mappings defined
[6611] 7/8/2018 -- 12:51:12 - (suricata.c:2572) <Error>
(PostConfLoadedDetectSetup) -- [ERRCODE: SC_ERR_INITIALIZATION(45)] -
initializing multi-detect detection engine contexts failed.
network-sensor suricata # *ip a | grep enp2s0f0 *
2: enp2s0f0: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc
mq state UP group default qlen 1000
But if I comment out multi-detect section everything works fine (except
flowbits, but this is not what I was testing):
network-sensor suricata # *suricata -c suricata.yaml -T*
[12152] 7/8/2018 -- 12:57:28 - (suricata.c:1900) <Info> (ParseCommandLine)
-- Running suricata under test mode
[12152] 7/8/2018 -- 12:57:28 - (suricata.c:1084) <Notice> (LogVersion) --
This is Suricata version 4.1.0-dev (rev 7c884e0)
[12152] 7/8/2018 -- 12:57:29 - (detect-flowbits.c:475) <Warning>
(DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit
'HTTP.UncompressedFlash' is checked but not set. Checked in 2016396 and 3
other sigs
[12152] 7/8/2018 -- 12:57:29 - (detect-flowbits.c:475) <Warning>
(DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit
'ET.pdf.in.http' is checked but not set. Checked in 2017150 and 5 other sigs
[12152] 7/8/2018 -- 12:57:29 - (detect-flowbits.c:475) <Warning>
(DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit
'ET.JS.Obfus.Func' is checked but not set. Checked in 2017246 and 1 other
sigs
[12152] 7/8/2018 -- 12:57:29 - (detect-flowbits.c:475) <Warning>
(DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit '
et.http.PK' is checked but not set. Checked in 2019835 and 3 other sigs
[12152] 7/8/2018 -- 12:57:29 - (detect-flowbits.c:475) <Warning>
(DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit
'et.JavaArchiveOrClass' is checked but not set. Checked in 2017756 and 15
other sigs
[12152] 7/8/2018 -- 12:57:29 - (detect-flowbits.c:475) <Warning>
(DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit
'et.WinHttpRequest' is checked but not set. Checked in 2019822 and 1 other
sigs
[12152] 7/8/2018 -- 12:57:29 - (detect-flowbits.c:475) <Warning>
(DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit '
ET.wininet.UA' is checked but not set. Checked in 2021312 and 0 other sigs
[12152] 7/8/2018 -- 12:57:29 - (detect-flowbits.c:475) <Warning>
(DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit
'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1
other sigs
[12152] 7/8/2018 -- 12:57:29 - (detect-flowbits.c:475) <Warning>
(DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit
'et.MS.XMLHTTP.no.exe.request' is checked but not set. Checked in 2022053
and 0 other sigs
[12152] 7/8/2018 -- 12:57:29 - (detect-flowbits.c:475) <Warning>
(DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit
'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in
2022653 and 0 other sigs
[12152] 7/8/2018 -- 12:57:29 - (detect-flowbits.c:475) <Warning>
(DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit
'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 11
other sigs
[12152] 7/8/2018 -- 12:57:29 - (detect-flowbits.c:475) <Warning>
(DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit
'et.MCOFF' is checked but not set. Checked in 2019837 and 1 other sigs
[12152] 7/8/2018 -- 12:57:29 - (detect-flowbits.c:475) <Warning>
(DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit
'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
[12152] 7/8/2018 -- 12:57:29 - (detect-flowbits.c:475) <Warning>
(DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit
'ET.armwget' is checked but not set. Checked in 2024241 and 1 other sigs
[12152] 7/8/2018 -- 12:57:32 - (suricata.c:2983) <Notice> (main) --
Configuration provided was successfully loaded. Exiting.
I assumed "device" for multi-tenancy has the same meaning that "interface"
has for capturing technologies. Tell me if I missed something.
Thanks,
Davide
2018-08-07 11:47 GMT+02:00 Victor Julien <lists at inliniac.net>:
> On 07-08-18 09:40, Davide Setti wrote:
> > Thank you all.
> >
> > Today I looked better at redmine and I found this issue:
> > "multi-tenancy: add 'device' selector"
> > https://redmine.openinfosecfoundation.org/issues/2567
> >
> > It seems to be what I was looking for, but it will be part of 4.1rc2 so
> > we must wait a little bit...
>
> I just published https://github.com/OISF/suricata/pull/3447
>
> Can you test this for your usecase?
>
> Also see
> https://github.com/OISF/suricata/blob/7c884e0850a2fe7681ec34
> f91748c029998f91b0/doc/userguide/configuration/multi-tenant.rst#device
>
> Thanks!
> Victor
>
--
<http://www.certego.net/>
Davide Setti
R&D and Incident Response Team, Certego
<http://www.linkedin.com/company/certego> <http://twitter.com/Certego_IRT>
<http://github.com/certego> <http://www.youtube.com/CERTEGOsrl>
<http://plus.google.com/117641917176532015312>
Use of the information within this document constitutes acceptance for use
in an "as is" condition. There are no warranties with regard to this
information; Certego has verified the data as thoroughly as possible. Any
use of this information lies within the user's responsibility. In no event
shall Certego be liable for any consequences or damages, including direct,
indirect, incidental, consequential, loss of business profits or special
damages, arising out of or in connection with the use or spread of this
information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180807/4f2ea68f/attachment-0001.html>
More information about the Oisf-users
mailing list