[Oisf-users] [Osif-users] suricata 4.0.5 af-packet mode not bridging packet

kavi perumal kaviperumal22 at gmail.com
Wed Nov 7 06:37:16 UTC 2018


Hi Davide,

Thanks for your help, Sorry for the late response, was down with flu.
please find attached suricata.yaml and suricata.log.

Topology:
eth0---(suricata run in host mode)---br0

Issue Faced:
When i run suricata between eth0 and bro interface, i am able to see
packets on eth0 but not able to see packets on br0 interface, Please help
me to debug the same, does suricata has any issues with one interface as
BRIDGE?

Below is the procedure i used to start docker, and start suricata.
Running suricata docker:
#docker run -itd --net=host --cap-add=NET_ADMIN bbe1a2ab1467 /bin/bash

Log-in to suricata container:
#docker exec -it
8a03567cc3a600ffcc4916d4f97c23dd16514fd7973821ec0e67d0c9e4c1e3c9 /bin/bash

Start suricata binary inside docker:
#suricata -c /etc/suricata/suricata.yaml -v  --af-packet &

Regards
-Kavi Perumal G.

On Tue, Oct 30, 2018 at 1:33 PM Davide Setti <d.setti at certego.net> wrote:

> Hi Kavi,
> could you please share your configuration on suricata.yaml and the output
> in suricata.log?
>
> We have about 100 instances running on docker (netmode HOST and NET_ADMIN
> capability) in IDS mode, and never had any problem like this.
>
> Regards,
> Davide
>
> Il giorno mar 30 ott 2018 alle ore 08:31 kavi perumal <
> kaviperumal22 at gmail.com> ha scritto:
>
>> Hi Davide,
>>
>> tried with --cap-add option with tap (IDS) mode, still it was not working.
>>
>> regards
>> -Kavi Perumal G.
>>
>
> --
> <http://www.certego.net/>
> Davide Setti
> R&D and Incident Response Team, Certego
> <http://www.linkedin.com/company/certego>
> <http://twitter.com/Certego_IRT>  <http://github.com/certego>
> <http://www.youtube.com/CERTEGOsrl>
> <http://plus.google.com/117641917176532015312>
> Use of the information within this document constitutes acceptance for use
> in an "as is" condition. There are no warranties with regard to this
> information; Certego has verified the data as thoroughly as possible. Any
> use of this information lies within the user's responsibility. In no event
> shall Certego be liable for any consequences or damages, including direct,
> indirect, incidental, consequential, loss of business profits or special
> damages, arising out of or in connection with the use or spread of this
> information.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181107/8281e0e2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricata.log
Type: application/octet-stream
Size: 1835 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181107/8281e0e2/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricata.yaml
Type: application/octet-stream
Size: 63926 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181107/8281e0e2/attachment-0003.obj>


More information about the Oisf-users mailing list