Configure Suricata in Bridge Mode [Suricata 6.0.8]

Help
1

Hi, everyone

I have installed Suricata 6.0.8 via PPA in Ubuntu 20.04. I use a Network Tap with two interfaces:

  • ens2f0
  • ens2f1

My network setup is as follows (red arrow is ens2f0 and blue arrow ens2f1):

imagen

I have configured a bridge mode in Ubuntu:

network:
  version: 2
  renderer: networkd
  ethernets:
    eno1:
      addresses:
      - <ip-sensor>/24
      gateway4:  <gateway>
      nameservers:
        addresses: [8.8.8.8]
        search: [<domain>]
    eno2:
      optional: true
    suricata:
      match: {name: "ens2*"}
  bridges:
    br0:
      interfaces: [suricata]

Suricata config:

%YAML 1.1
---
af-packet:
  - interface: br0
    threads: auto
    cluster-id: 99
    cluster-type: cluster_flow
    tpacket-v3: yes
    ring-size: 100000

I have not detected invalid ack, packet out of window, and so on. However, Suricata is not able to capture return traffic, for example, if I connect to a machine via SSH, Suricata only get one-way traffic.

What am I doing wrong?

Thanks in advance :smiley:

Regards

1 Like
2

If you capture a pcap from br0 and inspect it in wireshark, does it contain all traffic you expect with packets in the order you expect?

3

Hi, @vjulien

I have captured a pcap from br0 and inspected it in Wireshark. Here you are:

67	3.024364	192.168.12.200	172.16.4.45	TCP	70	54457 → 22 [SYN] Seq=0 Win=64860 Len=0 MSS=1380 WS=256 SACK_PERM
68	3.024798	172.16.4.45	192.168.12.200	TCP	70	22 → 54457 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1380 SACK_PERM WS=128

In eve.json:

{"timestamp":"2022-11-04T11:31:22.643868+0100","flow_id":1390963444066542,"in_iface":"br0","event_type":"ssh","vlan":[12],"src_ip":"192.168.12.200","src_port":54458,"dest_ip":"172.16.4.45","dest_port":22,"proto":"TCP","tx_id":0,"ssh":{"client":{"proto_version":"2.0","software_version":"SecureBlackbox"},"server":{"proto_version":"2.0","software_version":"OpenSSH_8.2p1"}}}

{"timestamp":"2022-11-04T11:35:27.205494+0100","flow_id":1390963444066542,"in_iface":"br0","event_type":"flow","vlan":[12],"src_ip":"192.168.12.200","src_port":54458,"dest_ip":"172.16.4.45","dest_port":22,"proto":"TCP","app_proto":"ssh","flow":{"pkts_toserver":17,"pkts_toclient":20,"bytes_toserver":2584,"bytes_toclient":4789,"bypassed":{"pkts_toserver":0,"pkts_toclient":0,"bytes_toserver":0,"bytes_toclient":0},"start":"2022-11-04T11:31:22.567534+0100","end":"2022-11-04T11:31:23.959356+0100","age":1,"bypass":"local","state":"bypassed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1a","tcp_flags_ts":"1a","tcp_flags_tc":"1a","syn":true,"psh":true,"ack":true,"state":"established"}}

Is it normal this behaviour?

Thanks in advance :smiley: ,

Regards

4

I think this output looks normal, is it not what you expected?

5

Hi,

My misunderstanding was due to I saw traffic in both directions in pcap file. However, I did not find this information in Suricata (response from server), so that, I did not know whether it is was a proper behaviour.

Thank you very much :smiley: ,

Regards