[Oisf-users] Question regarding a missed signature from AF-Packet

Peter Manev petermanev at gmail.com
Fri Sep 7 12:55:48 UTC 2018


On Thu, Sep 6, 2018 at 9:25 PM Jeremy A. Grove <jgrove at quadrantsec.com> wrote:
>
> I am using Suricata 4.1 on Debian with AF-Packet. I have recently tested the configuration by specifically looking for Suricata to alert on content in the body of the HTTP POST. Suricata did not trigger and it led me to repeat the process while recording a PCAP. When I run the PCAP through Suricata then Suricata alerts accurately and as expected.
>
> My question is centered on where I should be looking for the difference in the configuration that would lead to no alert via AF-PACKET and then an alert generated with same traffic through PCAP.
>
> Any direction will be helpful. I have given some of the configuration dump below.
>
> af-packet = (null)
> af-packet.0 = interface
> af-packet.0.interface = e1
> af-packet.0.cluster-id = 99
> af-packet.0.cluster-type = cluster_flow
> af-packet.0.defrag = yes
> af-packet.1 = interface
> af-packet.1.interface = e3
> af-packet.1.cluster-id = 98
> af-packet.1.cluster-type = cluster_flow
> af-packet.1.defrag = yes
> af-packet.2 = interface
> af-packet.2.interface = e4
> af-packet.2.cluster-id = 97
> af-packet.2.cluster-type = cluster_flow
> af-packet.2.defrag = yes
> af-packet.3 = interface
> af-packet.3.interface = default
>
> pcap-file = (null)
> pcap-file.checksum-checks = auto
>


If you could share a bit more info of how do you test it (suricata
--build-info for example ) and what the test is (pcap/rule)  - would
probably make it easier to debug.
You mention 4.1 - you mean latest gitmaster , correct ?

Thank you

-- 
Regards,
Peter Manev


More information about the Oisf-users mailing list