[Oisf-users] [Osif-users] suricata 4.0.5 af-packet mode not bridging packet

Davide Setti d.setti at certego.net
Fri Oct 26 12:48:58 UTC 2018


Dunno know if this may help, but in docker docs they say:
"For interacting with the network stack, instead of using --privileged they
should use --cap-add=NET_ADMIN to modify the network interfaces."

We are running in IDS mode inside docker with this configuration, never
tested for IPS mode.

Just give a try.

Regards,
Davide

Il giorno ven 26 ott 2018 alle ore 06:41 kavi perumal <
kaviperumal22 at gmail.com> ha scritto:

> Hi Davide,
>
> Launched suricata with "--privilleged" option. Llike below.
>
> #docker run -itd --privileged --net=host <image-name> /bin/bash
> Once its started. Log in to docker.
> # docker exec -it <container-name> /bin/bash
> #<inside docker> ./suricata -v -c /etc/suricata/suricata.yaml --af-packet &
>
> I am able to see the packets on eth0 interface but not on the br0
> interface. How to check whether suricata is dropping packet, suggest some
> debugging method, which log to see, or how.
>
> Using suricata4.0.5 based docker image. (installed in a ubuntu:bionic
> based container).
>
> Regards
> -Kavi Perumal G.
>
> On Thu, Oct 25, 2018 at 6:06 PM Davide Setti <d.setti at certego.net> wrote:
>
>> Can you also share how suricata is launched within docker? Which
>> permissions/capabilities where given to the container?
>>
>> Regards,
>> Davide
>>
>> Il giorno gio 25 ott 2018 alle ore 11:58 kavi perumal <
>> kaviperumal22 at gmail.com> ha scritto:
>>
>>> Hi All,
>>>
>>> I am using suricata 4.0.5 in a docker envt. running suricata in
>>> af-packet based IPS mode.
>>> suricata is not bridging packets.
>>>
>>> Topology:
>>>
>>>  [eth0]--------suricata--------[br0] (br0.11 {192.168.1.1)
>>>
>>> When i try to ping from external VM to IP 192.168.1.1 i am able to see
>>> the packets at eth0 but not able to see the packets on br0.
>>>
>>> Can you please let me know am i doing something wrong? (or) how to check
>>> whether suricata is dropping packet/not?
>>>
>>> suricata.yaml:
>>> af-packet:
>>>   - interface: eth0
>>>     threads: 1
>>>     defrag: yes
>>>     cluster-type: cluster_flow
>>>     cluster-id: 98
>>>     copy-mode: ips
>>>     copy-iface: br0
>>>     buffer-size: 64535
>>>     use-mmap: yes
>>>   - interface: br0
>>>     threads: 1
>>>     cluster-id: 97
>>>     defrag: yes
>>>     cluster-type: cluster_flow
>>>     copy-mode: ips
>>>     copy-iface: eth0
>>>     buffer-size: 64535
>>>     use-mmap: yes
>>>
>>>
>>> Regards
>>> -Kavi Perumal G.
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support:
>>> http://suricata-ids.org/support/
>>> List:
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>> Conference: https://suricon.net
>>> Trainings: https://suricata-ids.org/training/
>>
>>
>>
>> --
>> <http://www.certego.net/>
>> Davide Setti
>> R&D and Incident Response Team, Certego
>> <http://www.linkedin.com/company/certego>
>> <http://twitter.com/Certego_IRT>  <http://github.com/certego>
>> <http://www.youtube.com/CERTEGOsrl>
>> <http://plus.google.com/117641917176532015312>
>> Use of the information within this document constitutes acceptance for
>> use in an "as is" condition. There are no warranties with regard to this
>> information; Certego has verified the data as thoroughly as possible. Any
>> use of this information lies within the user's responsibility. In no event
>> shall Certego be liable for any consequences or damages, including direct,
>> indirect, incidental, consequential, loss of business profits or special
>> damages, arising out of or in connection with the use or spread of this
>> information.
>>
>

-- 
<http://www.certego.net/>
Davide Setti
R&D and Incident Response Team, Certego
<http://www.linkedin.com/company/certego>  <http://twitter.com/Certego_IRT>
<http://github.com/certego>  <http://www.youtube.com/CERTEGOsrl>
<http://plus.google.com/117641917176532015312>
Use of the information within this document constitutes acceptance for use
in an "as is" condition. There are no warranties with regard to this
information; Certego has verified the data as thoroughly as possible. Any
use of this information lies within the user's responsibility. In no event
shall Certego be liable for any consequences or damages, including direct,
indirect, incidental, consequential, loss of business profits or special
damages, arising out of or in connection with the use or spread of this
information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181026/5a80d46f/attachment.html>


More information about the Oisf-users mailing list