Hello,
I enable the IP forwarding and removed the NAT type NIC:
# ifconfig
CLIENT: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::a00:27ff:fee5:267c prefixlen 64 scopeid 0x20<link>
ether 08:00:27:e5:26:7c txqueuelen 1000 (Ethernet)
RX packets 13 bytes 970 (970.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 17 bytes 2918 (2.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
SERVER: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::a00:27ff:febc:c5a7 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:bc:c5:a7 txqueuelen 1000 (Ethernet)
RX packets 1 bytes 243 (243.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 17 bytes 2918 (2.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Then ran Suricata-IDS:
# suricata --af-packet -DThe client and server can still see each other:
C:\> ping 192.168.1.2
Pinging 192.168.1.2 with 32 bytes of data:
Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.
Ping statistics for 192.168.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
C:\>I ran tcpdump on the Suricata-IDS server and the result is as follows:
# tcpdump -i CLIENT -vvv
02:04:00.968531 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.1.1, length 46
02:04:01.661038 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.1.1, length 46
02:04:02.661361 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.1.1, length 46
02:04:03.665071 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.1.1, length 46
02:04:04.661536 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.1.1, length 46
02:04:05.661223 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.1.1, length 46
02:04:06.665725 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.1.1, length 46
02:04:07.661242 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.1.1, length 46
02:04:08.660741 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.1.1, length 46
02:04:09.664502 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.1.1, length 46
02:04:10.661237 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.1.1, length 46
02:04:11.660867 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.1.1, length 46Suricata-IDS reports are as follows:
[730 - Suricata-Main] 2023-10-07 01:43:59 Notice: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode
[673 - Suricata-Main] 2023-10-07 02:01:31 Info: cpu: CPUs/cores online: 2
[673 - Suricata-Main] 2023-10-07 02:01:31 Info: af-packet: Setting IPS mode
[673 - Suricata-Main] 2023-10-07 02:01:31 Info: exception-policy: master exception-policy set to: auto
[673 - Suricata-Main] 2023-10-07 02:01:31 Info: ioctl: CLIENT: MTU 1500
[673 - Suricata-Main] 2023-10-07 02:01:31 Info: ioctl: SERVER: MTU 1500
[674 - Suricata-Main] 2023-10-07 02:01:31 Info: conf: Running in live mode, activating unix socket
[674 - Suricata-Main] 2023-10-07 02:01:31 Info: logopenfile: fast output device (regular) initialized: fast.log
[674 - Suricata-Main] 2023-10-07 02:01:31 Info: logopenfile: eve-log output device (regular) initialized: eve.json
[674 - Suricata-Main] 2023-10-07 02:01:31 Info: logopenfile: stats output device (regular) initialized: stats.log
[674 - Suricata-Main] 2023-10-07 02:01:33 Info: detect: 1 rule files processed. 35168 rules successfully loaded, 0 rules failed
[674 - Suricata-Main] 2023-10-07 02:01:34 Info: threshold-config: Threshold config parsed: 0 rule(s) found
[674 - Suricata-Main] 2023-10-07 02:01:34 Info: detect: 35171 signatures processed. 1248 are IP-only rules, 5282 are inspecting packet payload, 28429 inspect application layer, 108 are decoder event only
[674 - Suricata-Main] 2023-10-07 02:01:37 Info: af-packet: CLIENT: AF_PACKET IPS mode activated CLIENT->SERVER
[674 - Suricata-Main] 2023-10-07 02:01:37 Info: runmodes: CLIENT: creating 1 thread
[674 - Suricata-Main] 2023-10-07 02:01:37 Info: af-packet: SERVER: AF_PACKET IPS mode activated SERVER->CLIENT
[674 - Suricata-Main] 2023-10-07 02:01:37 Info: runmodes: SERVER: creating 1 thread
[676 - W#01-SERVER] 2023-10-07 02:01:37 Info: ioctl: SERVER: MTU 1500
[676 - W#01-SERVER] 2023-10-07 02:01:37 Info: ioctl: CLIENT: MTU 1500
[674 - Suricata-Main] 2023-10-07 02:01:37 Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket'
[674 - Suricata-Main] 2023-10-07 02:01:37 Info: unix-manager: created socket directory /var/run/suricata/
[674 - Suricata-Main] 2023-10-07 02:01:37 Notice: threads: Threads created -> W: 2 FM: 1 FR: 1 Engine started.
[675 - W#01-CLIENT] 2023-10-07 02:11:07 Warning: af-packet: CLIENT: failed to poll interface: Network is down
[676 - W#01-SERVER] 2023-10-07 02:11:07 Warning: af-packet: SERVER: failed to poll interface: Network is down
[675 - W#01-CLIENT] 2023-10-07 02:11:16 Info: af-packet: CLIENT: interface is back up
[676 - W#01-SERVER] 2023-10-07 02:11:16 Info: af-packet: SERVER: interface is back upAnd:
# cat /var/log/suricata/fast.log
#What is really wrong?