ids mode.zip (87.9 KB)
inline mode.zip (49.6 KB)
output_native6_tcp49172.pcap (46.4 KB)
sp.rules (685 Bytes)
Hello everyone,
i am replaying a pcap to suricata 6.0.10 running natively on ubuntu. The pcap contains 15 POST requests that are supposed to match signature sid:2022679 present in the sp.rules file attached.
case1: ids mode
in this case the alerts are generated for all 15 transactions starting from tx_id":0 to tx_id":14, giving 15 alerts
case2: inline mode
here the alerts are generated only starting from tx_id":1 to tx_id":14 , resulting in only 14 alerts.
Qn: âWhat could be the reason for a one less match in the case of inline modeâ or why is tx_id":0 not generating an alert only in the case of inline mode.
Note: âeve.json, stats.log, suricata.log, suricata.yamlâ â zipped for both cases and the pcap have been attached.
please let me know any additional information required
Hi,
can you also paste the run commands that you are using for both cases?
Also 6.0.10 is rather old, please do a run with 6.0.19 and/or 7.0.5
hi andreaa herz, thanks for the reply.
for both cases i use below command to start suricata on the ubuntu
suricata -c /etc/suricata/suricata.yaml --af-packet -D&
and below command for replaying packets for both cases.
tcpreplay --loop=1 --intf1=ens192 -p 100 output.pcap
hope i answered with the right information you asked for
i will try to setup suricata 6.0.19 or 7.0.5 asap and repeat the test.
thank you
Cherish
hi andreas herz,
i installed suricata 6.0.19 and tried inline mode, here as well i got only 14 alerts for inline mode or no alerts got generated for tx_id":0
i kept the suricata.yaml config same as 6.0.10 , attached below the stats.log. eve.json, suricata.log, suricata.yaml
inline 6.0.19.zip (52.9 KB)
25/4/2024 â 21:31:19 - - This is Suricata version 6.0.19 RELEASE running in SYSTEM mode
installed suricata 6.0.19 on another ubuntu for ids mode and
here it gives 15 alerts , attached below the stats.log. eve.json, suricata.log, suricata.yaml
ids6.0.19.zip (87.0 KB)
looks like moving from 6.0.10.to 6.0.19 couldnt make a difference!
regards
Cherish
The configs vary quite a lot at parts that are not related to inline vs ids mode, I would first adjust the configs to be mostly the same except for the relevant af-packet section.
For example vlan.use-for-tracking is different in both.
In addition to that you could run ids on the other interface ens256 as well.
1 Like
hi andreas
tuned yaml results for IDS.zip (29.6 KB)
tuned yaml results for INLINE.zip (29.6 KB)
i made the yaml configs equal except the af-packet portion
i have added both interfaces ens192 and ens 224 (this is a different ubuntu host with different interfaces than the inline scenario which runs on a host with interfaces ens192 and ens256)
also could you tell why add both interfaces in the case of ids? as all the traffic is passing ens192 isnt that interface alone enough under af-packet ??
ids topology:
tcpreplay----->----------ens192âubuntu----ens224----------host
inline topology:
tcpreplay----->----------ens192âubuntu----ens256----------host
results: are same as before, still getting only 14 alerts for inline mode or no alerts corresponding to tx_id":0
thank you
Cherish
something i notice is that in the below section if i set inline: no instead of inline: auto, then inline mode is giving equal number of matches as that of ids mode that is 15 alerts.
stream setting inline NO.zip (43.5 KB)
cant inline: be set to auto ?
stream:
memcap: 64mb
#memcap-policy: ignore
checksum-validation: no # reject incorrect csums
#midstream: false
#midstream-policy: ignore
inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
reassembly:
memcap: 256mb
#memcap-policy: ignore
depth: 1mb # reassemble 1mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes
Could you provide the suricata.log and stats.log for both scenarios?