[Oisf-users] [Osif-users] suricata 4.0.5 af-packet mode not bridging packet

kavi perumal kaviperumal22 at gmail.com
Tue Oct 30 07:31:05 UTC 2018


Hi Davide,

tried with --cap-add option with tap (IDS) mode, still it was not working.

regards
-Kavi Perumal G.

On Fri, Oct 26, 2018 at 6:19 PM Davide Setti <d.setti at certego.net> wrote:

> Dunno know if this may help, but in docker docs they say:
> "For interacting with the network stack, instead of using --privileged
> they should use --cap-add=NET_ADMIN to modify the network interfaces."
>
> We are running in IDS mode inside docker with this configuration, never
> tested for IPS mode.
>
> Just give a try.
>
> Regards,
> Davide
>
> Il giorno ven 26 ott 2018 alle ore 06:41 kavi perumal <
> kaviperumal22 at gmail.com> ha scritto:
>
>> Hi Davide,
>>
>> Launched suricata with "--privilleged" option. Llike below.
>>
>> #docker run -itd --privileged --net=host <image-name> /bin/bash
>> Once its started. Log in to docker.
>> # docker exec -it <container-name> /bin/bash
>> #<inside docker> ./suricata -v -c /etc/suricata/suricata.yaml --af-packet
>> &
>>
>> I am able to see the packets on eth0 interface but not on the br0
>> interface. How to check whether suricata is dropping packet, suggest some
>> debugging method, which log to see, or how.
>>
>> Using suricata4.0.5 based docker image. (installed in a ubuntu:bionic
>> based container).
>>
>> Regards
>> -Kavi Perumal G.
>>
>> On Thu, Oct 25, 2018 at 6:06 PM Davide Setti <d.setti at certego.net> wrote:
>>
>>> Can you also share how suricata is launched within docker? Which
>>> permissions/capabilities where given to the container?
>>>
>>> Regards,
>>> Davide
>>>
>>> Il giorno gio 25 ott 2018 alle ore 11:58 kavi perumal <
>>> kaviperumal22 at gmail.com> ha scritto:
>>>
>>>> Hi All,
>>>>
>>>> I am using suricata 4.0.5 in a docker envt. running suricata in
>>>> af-packet based IPS mode.
>>>> suricata is not bridging packets.
>>>>
>>>> Topology:
>>>>
>>>>  [eth0]--------suricata--------[br0] (br0.11 {192.168.1.1)
>>>>
>>>> When i try to ping from external VM to IP 192.168.1.1 i am able to see
>>>> the packets at eth0 but not able to see the packets on br0.
>>>>
>>>> Can you please let me know am i doing something wrong? (or) how to
>>>> check whether suricata is dropping packet/not?
>>>>
>>>> suricata.yaml:
>>>> af-packet:
>>>>   - interface: eth0
>>>>     threads: 1
>>>>     defrag: yes
>>>>     cluster-type: cluster_flow
>>>>     cluster-id: 98
>>>>     copy-mode: ips
>>>>     copy-iface: br0
>>>>     buffer-size: 64535
>>>>     use-mmap: yes
>>>>   - interface: br0
>>>>     threads: 1
>>>>     cluster-id: 97
>>>>     defrag: yes
>>>>     cluster-type: cluster_flow
>>>>     copy-mode: ips
>>>>     copy-iface: eth0
>>>>     buffer-size: 64535
>>>>     use-mmap: yes
>>>>
>>>>
>>>> Regards
>>>> -Kavi Perumal G.
>>>> _______________________________________________
>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>> Site: http://suricata-ids.org | Support:
>>>> http://suricata-ids.org/support/
>>>> List:
>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>
>>>> Conference: https://suricon.net
>>>> Trainings: https://suricata-ids.org/training/
>>>
>>>
>>>
>>> --
>>> <http://www.certego.net/>
>>> Davide Setti
>>> R&D and Incident Response Team, Certego
>>> <http://www.linkedin.com/company/certego>
>>> <http://twitter.com/Certego_IRT>  <http://github.com/certego>
>>> <http://www.youtube.com/CERTEGOsrl>
>>> <http://plus.google.com/117641917176532015312>
>>> Use of the information within this document constitutes acceptance for
>>> use in an "as is" condition. There are no warranties with regard to this
>>> information; Certego has verified the data as thoroughly as possible. Any
>>> use of this information lies within the user's responsibility. In no event
>>> shall Certego be liable for any consequences or damages, including direct,
>>> indirect, incidental, consequential, loss of business profits or special
>>> damages, arising out of or in connection with the use or spread of this
>>> information.
>>>
>>
>
> --
> <http://www.certego.net/>
> Davide Setti
> R&D and Incident Response Team, Certego
> <http://www.linkedin.com/company/certego>
> <http://twitter.com/Certego_IRT>  <http://github.com/certego>
> <http://www.youtube.com/CERTEGOsrl>
> <http://plus.google.com/117641917176532015312>
> Use of the information within this document constitutes acceptance for use
> in an "as is" condition. There are no warranties with regard to this
> information; Certego has verified the data as thoroughly as possible. Any
> use of this information lies within the user's responsibility. In no event
> shall Certego be liable for any consequences or damages, including direct,
> indirect, incidental, consequential, loss of business profits or special
> damages, arising out of or in connection with the use or spread of this
> information.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181030/610c5dd6/attachment.html>


More information about the Oisf-users mailing list