After Setting up IPS at Layer 2, can not ping each other

equator8848 · April 6, 2024, 3:27am

Please include the following information with your help request:

Suricata version Suricata version 7.0.4 RELEASE

Operating system and/or Linux distribution Ubuntu20.04(Linux devbox 5.15.0-101-generic #111~20.04.1-Ubuntu SMP Mon Mar 11 15:44:43 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux)

How you installed Suricata (from source, packages, something else) install with apt

Hi, I deploy suricata on my multi NIC machine: enp1s0 for control, enp2s0 and enp4s0 is ips interface.

I configure suricata.yaml like this

af-packet:
  - interface: enp2s0
    threads: auto
    defrag: no
    cluster-type: cluster_flow
    cluster-id: 98
    copy-mode: ips
    copy-iface: enp4s0
    buffer-size: 64535
    use-mmap: yes
  - interface: enp4s0
    threads: auto
    cluster-id: 97
    defrag: no
    cluster-type: cluster_flow
    copy-mode: ips
    copy-iface: enp2s0
    buffer-size: 64535
    use-mmap: yes

after doing these, I get network topology like this

however, I can ping host1 and host2 on host3. but I can not ping host3 on host1 or host2.
I did’t load any rules, I start suricata use sudo suricata -c /etc/suricata/suricata.yaml --af-packet -vvvv --disable-detection

Notice: suricata: This is Suricata version 7.0.4 RELEASE running in SYSTEM mode [LogVersion:suricata.c:1146]
Info: cpu: CPUs/cores online: 4 [UtilCpuPrintSummary:util-cpu.c:182]
Config: device: Adding interface enp2s0 from config file [LiveBuildDeviceListCustom:util-device.c:294]
Config: device: Adding interface enp4s0 from config file [LiveBuildDeviceListCustom:util-device.c:294]
Config: luajit: luajit states preallocated: 128 [LuajitSetupStatesPool:util-luajit.c:99]
Info: af-packet: Setting IPS mode [AFPRunModeEnableIPS:runmode-af-packet.c:151]
Info: exception-policy: master exception-policy set to: auto [ExceptionPolicyMasterParse:util-exception-policy.c:200]
Config: exception-policy: app-layer.error-policy: drop-flow (defined via 'exception-policy' master switch) [ExceptionPolicyGetDefault:util-exception-policy.c:219]
Config: app-layer-htp: 'default' server has 'request-body-minimal-inspect-size' set to 32741 and 'request-body-inspect-window' set to 4140 after randomization. [HTPConfigSetDefaultsPhase2:app-layer-htp.c:2570]
Config: app-layer-htp: 'default' server has 'response-body-minimal-inspect-size' set to 40583 and 'response-body-inspect-window' set to 15818 after randomization. [HTPConfigSetDefaultsPhase2:app-layer-htp.c:2583]
Config: smb: read: max record size: 16777216, max queued chunks 64, max queued size 67108864 [suricata::smb::smb::rs_smb_register_parser:smb.rs:2428]
Config: smb: write: max record size: 16777216, max queued chunks 64, max queued size 67108864 [suricata::smb::smb::rs_smb_register_parser:smb.rs:2430]
Config: app-layer-enip: Protocol detection and parser disabled for enip protocol. [RegisterENIPUDPParsers:app-layer-enip.c:538]
Config: app-layer-dnp3: Protocol detection and parser disabled for DNP3. [RegisterDNP3Parsers:app-layer-dnp3.c:1571]
Info: ioctl: enp2s0: MTU 1500 [GetIfaceMTU:util-ioctl.c:100]
Info: ioctl: enp4s0: MTU 1500 [GetIfaceMTU:util-ioctl.c:100]
Config: suricata: detection engine disabled [PostConfLoadedSetup:suricata.c:2779]
Config: host: allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64 [HostInitConfig:host.c:256]
Config: host: preallocated 1000 hosts of size 136 [HostInitConfig:host.c:282]
Config: host: host memory usage: 398144 bytes, maximum: 33554432 [HostInitConfig:host.c:284]
Config: coredump-config: Core dump size set to unlimited. [CoredumpLoadConfig:util-coredump-config.c:155]
Config: exception-policy: defrag.memcap-policy: drop-packet (defined via 'exception-policy' master switch) [ExceptionPolicyGetDefault:util-exception-policy.c:219]
Config: defrag-hash: allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56 [DefragInitConfig:defrag-hash.c:251]
Config: defrag-hash: preallocated 65535 defrag trackers of size 160 [DefragInitConfig:defrag-hash.c:280]
Config: defrag-hash: defrag memory usage: 14155616 bytes, maximum: 33554432 [DefragInitConfig:defrag-hash.c:287]
Config: exception-policy: flow.memcap-policy: drop-packet (defined via 'exception-policy' master switch) [ExceptionPolicyGetDefault:util-exception-policy.c:219]
Config: flow: flow size 296, memcap allows for 453438 flows. Per hash row in perfect conditions 6 [FlowInitConfig:flow.c:673]
Config: stream-tcp: stream "prealloc-sessions": 2048 (per thread) [StreamTcpInitConfig:stream-tcp.c:392]
Config: stream-tcp: stream "memcap": 67108864 [StreamTcpInitConfig:stream-tcp.c:412]
Config: stream-tcp: stream "midstream" session pickups: disabled [StreamTcpInitConfig:stream-tcp.c:420]
Config: stream-tcp: stream "async-oneside": disabled [StreamTcpInitConfig:stream-tcp.c:428]
Config: stream-tcp: stream "checksum-validation": enabled [StreamTcpInitConfig:stream-tcp.c:443]
Config: exception-policy: stream.memcap-policy: drop-flow (defined via 'exception-policy' master switch) [ExceptionPolicyGetDefault:util-exception-policy.c:219]
Config: exception-policy: stream.reassembly.memcap-policy: drop-flow (defined via 'exception-policy' master switch) [ExceptionPolicyGetDefault:util-exception-policy.c:219]
Config: exception-policy: stream.midstream-policy: drop-flow (defined via 'exception-policy' master switch) [ExceptionPolicyGetDefault:util-exception-policy.c:219]
Config: stream-tcp: stream."inline": enabled [StreamTcpInitConfig:stream-tcp.c:475]
Config: stream-tcp: stream "bypass": disabled [StreamTcpInitConfig:stream-tcp.c:488]
Config: stream-tcp: stream "max-syn-queued": 10 [StreamTcpInitConfig:stream-tcp.c:512]
Config: stream-tcp: stream "max-synack-queued": 5 [StreamTcpInitConfig:stream-tcp.c:525]
Config: stream-tcp: stream.reassembly "memcap": 268435456 [StreamTcpInitConfig:stream-tcp.c:546]
Config: stream-tcp: stream.reassembly "depth": 1048576 [StreamTcpInitConfig:stream-tcp.c:565]
Config: stream-tcp: stream.reassembly "toserver-chunk-size": 2603 [StreamTcpInitConfig:stream-tcp.c:637]
Config: stream-tcp: stream.reassembly "toclient-chunk-size": 2524 [StreamTcpInitConfig:stream-tcp.c:639]
Config: stream-tcp: stream.reassembly.raw: disabled [StreamTcpInitConfig:stream-tcp.c:652]
Config: stream-tcp: stream.liberal-timestamps: disabled [StreamTcpInitConfig:stream-tcp.c:661]
Config: stream-tcp-reassemble: stream.reassembly "segment-prealloc": 2048 [StreamTcpReassemblyConfig:stream-tcp-reassemble.c:491]
Config: stream-tcp-reassemble: stream.reassembly "max-regions": 8 [StreamTcpReassemblyConfig:stream-tcp-reassemble.c:514]
Info: logopenfile: fast output device (regular) initialized: fast.log [SCConfLogOpenGeneric:util-logopenfile.c:617]
Info: logopenfile: eve-log output device (regular) initialized: eve.json [SCConfLogOpenGeneric:util-logopenfile.c:617]
Config: output-json: Enabling eve community_id logging. [OutputJsonInitCtx:output-json.c:1151]
Config: runmodes: enabling 'eve-log' module 'alert' [RunModeInitializeEveOutput:runmodes.c:706]
Config: runmodes: enabling 'eve-log' module 'frame' [RunModeInitializeEveOutput:runmodes.c:706]
Config: runmodes: enabling 'eve-log' module 'anomaly' [RunModeInitializeEveOutput:runmodes.c:706]
Config: runmodes: enabling 'eve-log' module 'http' [RunModeInitializeEveOutput:runmodes.c:706]
Config: runmodes: enabling 'eve-log' module 'dns' [RunModeInitializeEveOutput:runmodes.c:706]
Config: runmodes: enabling 'eve-log' module 'tls' [RunModeInitializeEveOutput:runmodes.c:706]
Config: runmodes: enabling 'eve-log' module 'files' [RunModeInitializeEveOutput:runmodes.c:706]
Config: runmodes: enabling 'eve-log' module 'smtp' [RunModeInitializeEveOutput:runmodes.c:706]
Config: runmodes: enabling 'eve-log' module 'ftp' [RunModeInitializeEveOutput:runmodes.c:706]
Config: runmodes: enabling 'eve-log' module 'rdp' [RunModeInitializeEveOutput:runmodes.c:706]
Config: runmodes: enabling 'eve-log' module 'nfs' [RunModeInitializeEveOutput:runmodes.c:706]
Config: runmodes: enabling 'eve-log' module 'smb' [RunModeInitializeEveOutput:runmodes.c:706]
Config: runmodes: enabling 'eve-log' module 'tftp' [RunModeInitializeEveOutput:runmodes.c:706]
Config: runmodes: enabling 'eve-log' module 'ike' [RunModeInitializeEveOutput:runmodes.c:706]
Config: runmodes: enabling 'eve-log' module 'dcerpc' [RunModeInitializeEveOutput:runmodes.c:706]
Config: runmodes: enabling 'eve-log' module 'krb5' [RunModeInitializeEveOutput:runmodes.c:706]
Config: runmodes: enabling 'eve-log' module 'bittorrent-dht' [RunModeInitializeEveOutput:runmodes.c:706]
Config: runmodes: enabling 'eve-log' module 'snmp' [RunModeInitializeEveOutput:runmodes.c:706]
Config: runmodes: enabling 'eve-log' module 'rfb' [RunModeInitializeEveOutput:runmodes.c:706]
Config: runmodes: enabling 'eve-log' module 'sip' [RunModeInitializeEveOutput:runmodes.c:706]
Config: runmodes: enabling 'eve-log' module 'quic' [RunModeInitializeEveOutput:runmodes.c:706]
Config: runmodes: enabling 'eve-log' module 'dhcp' [RunModeInitializeEveOutput:runmodes.c:706]
Config: runmodes: enabling 'eve-log' module 'ssh' [RunModeInitializeEveOutput:runmodes.c:706]
Config: runmodes: enabling 'eve-log' module 'mqtt' [RunModeInitializeEveOutput:runmodes.c:706]
Config: runmodes: enabling 'eve-log' module 'http2' [RunModeInitializeEveOutput:runmodes.c:706]
Config: runmodes: enabling 'eve-log' module 'pgsql' [RunModeInitializeEveOutput:runmodes.c:706]
Config: runmodes: enabling 'eve-log' module 'stats' [RunModeInitializeEveOutput:runmodes.c:706]
Config: runmodes: enabling 'eve-log' module 'flow' [RunModeInitializeEveOutput:runmodes.c:706]
Info: logopenfile: stats output device (regular) initialized: stats.log [SCConfLogOpenGeneric:util-logopenfile.c:617]
Info: af-packet: enp2s0: AF_PACKET IPS mode activated enp2s0->enp4s0 [ParseAFPConfig:runmode-af-packet.c:353]
Config: af-packet: enp2s0: using flow cluster mode for AF_PACKET [ParseAFPConfig:runmode-af-packet.c:397]
Perf: af-packet: enp2s0: cluster_flow: 4 cores, using 4 threads [ParseAFPConfig:runmode-af-packet.c:685]
Perf: ioctl: enp2s0: disabling gro offloading [DisableIfaceOffloadingLinux:util-ioctl.c:417]
Perf: ioctl: enp2s0: disabling tso offloading [DisableIfaceOffloadingLinux:util-ioctl.c:424]
Perf: ioctl: enp2s0: disabling gso offloading [DisableIfaceOffloadingLinux:util-ioctl.c:431]
Perf: ioctl: enp2s0: disabling sg offloading [DisableIfaceOffloadingLinux:util-ioctl.c:438]
Info: runmodes: enp2s0: creating 4 threads [RunModeSetLiveCaptureWorkersForDevice:util-runmodes.c:254]
Info: af-packet: enp4s0: AF_PACKET IPS mode activated enp4s0->enp2s0 [ParseAFPConfig:runmode-af-packet.c:353]
Config: af-packet: enp4s0: using flow cluster mode for AF_PACKET [ParseAFPConfig:runmode-af-packet.c:397]
Perf: af-packet: enp4s0: cluster_flow: 4 cores, using 4 threads [ParseAFPConfig:runmode-af-packet.c:685]
Perf: ioctl: enp4s0: disabling gro offloading [DisableIfaceOffloadingLinux:util-ioctl.c:417]
Perf: ioctl: enp4s0: disabling tso offloading [DisableIfaceOffloadingLinux:util-ioctl.c:424]
Perf: ioctl: enp4s0: disabling gso offloading [DisableIfaceOffloadingLinux:util-ioctl.c:431]
Perf: ioctl: enp4s0: disabling sg offloading [DisableIfaceOffloadingLinux:util-ioctl.c:438]
Info: runmodes: enp4s0: creating 4 threads [RunModeSetLiveCaptureWorkersForDevice:util-runmodes.c:254]
Config: flow-manager: using 1 flow manager threads [FlowManagerThreadSpawn:flow-manager.c:948]
Config: flow-manager: using 1 flow recycler threads [FlowRecyclerThreadSpawn:flow-manager.c:1154]
Perf: af-packet: enp2s0: setting socket buffer to 64535 [AFPCreateSocket:source-af-packet.c:1951]
Perf: af-packet: enp2s0: rx ring: block_size=32768 block_nr=26 frame_size=1600 frame_nr=520 [AFPComputeRingParams:source-af-packet.c:1599]
Perf: af-packet: enp2s0: setting socket buffer to 64535 [AFPCreateSocket:source-af-packet.c:1951]
Perf: af-packet: enp2s0: rx ring: block_size=32768 block_nr=26 frame_size=1600 frame_nr=520 [AFPComputeRingParams:source-af-packet.c:1599]
Perf: af-packet: enp2s0: setting socket buffer to 64535 [AFPCreateSocket:source-af-packet.c:1951]
Perf: af-packet: enp2s0: rx ring: block_size=32768 block_nr=26 frame_size=1600 frame_nr=520 [AFPComputeRingParams:source-af-packet.c:1599]
Perf: af-packet: enp2s0: setting socket buffer to 64535 [AFPCreateSocket:source-af-packet.c:1951]
Perf: af-packet: enp2s0: rx ring: block_size=32768 block_nr=26 frame_size=1600 frame_nr=520 [AFPComputeRingParams:source-af-packet.c:1599]
Perf: af-packet: enp4s0: setting socket buffer to 64535 [AFPCreateSocket:source-af-packet.c:1951]
Perf: af-packet: enp4s0: rx ring: block_size=32768 block_nr=26 frame_size=1600 frame_nr=520 [AFPComputeRingParams:source-af-packet.c:1599]
Perf: af-packet: enp4s0: setting socket buffer to 64535 [AFPCreateSocket:source-af-packet.c:1951]
Perf: af-packet: enp4s0: rx ring: block_size=32768 block_nr=26 frame_size=1600 frame_nr=520 [AFPComputeRingParams:source-af-packet.c:1599]
Perf: af-packet: enp4s0: setting socket buffer to 64535 [AFPCreateSocket:source-af-packet.c:1951]
Perf: af-packet: enp4s0: rx ring: block_size=32768 block_nr=26 frame_size=1600 frame_nr=520 [AFPComputeRingParams:source-af-packet.c:1599]
Perf: af-packet: enp4s0: setting socket buffer to 64535 [AFPCreateSocket:source-af-packet.c:1951]
Perf: af-packet: enp4s0: rx ring: block_size=32768 block_nr=26 frame_size=1600 frame_nr=520 [AFPComputeRingParams:source-af-packet.c:1599]
Notice: threads: Threads created -> W: 8 FM: 1 FR: 1   Engine started. [TmThreadWaitOnThreadRunning:tm-threads.c:1901]

Any ideas to solve this problem? thanks

equator8848 · April 6, 2024, 3:35am

emm, I found the problem.

Topic		Replies	Views
Novice user attempt at setting IPS at Layer 2 between 2 physical interfaces Help	4	678	April 5, 2024
How to configure suricata IPS mode with AF-PACKET? Help ips , community , suricata	1	1332	July 17, 2022
Need help with Suricata IPS Setup Help	1	810	September 13, 2021
Suricata af-packet ips Help ips	1	529	January 17, 2023
Suricata IDS/IPS IN-Line Help	12	1921	March 1, 2021

After Setting up IPS at Layer 2, can not ping each other

Related Topics