Suricata-IDS does not work in AF_PACKET IPS mode

Help
21

Hello,
Thank you so much for your reply.
I did tcpdump. The contents of the log files are as follows:

# cat /var/log/suricata/suricata.log 
[864 - Suricata-Main] 2023-10-28 02:04:12 Notice: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode
[864 - Suricata-Main] 2023-10-28 02:04:12 Info: cpu: CPUs/cores online: 2
[864 - Suricata-Main] 2023-10-28 02:04:12 Info: af-packet: Setting IPS mode
[864 - Suricata-Main] 2023-10-28 02:04:12 Info: exception-policy: master exception-policy set to: auto
[864 - Suricata-Main] 2023-10-28 02:04:13 Info: ioctl: CLIENT: MTU 1500
[864 - Suricata-Main] 2023-10-28 02:04:13 Info: ioctl: SERVER: MTU 1500
[864 - Suricata-Main] 2023-10-28 02:04:13 Info: logopenfile: fast output device (regular) initialized: fast.log
[864 - Suricata-Main] 2023-10-28 02:04:13 Info: logopenfile: eve-log output device (regular) initialized: eve.json
[864 - Suricata-Main] 2023-10-28 02:04:13 Info: logopenfile: stats output device (regular) initialized: stats.log
[864 - Suricata-Main] 2023-10-28 02:04:14 Info: detect: 1 rule files processed. 41733 rules successfully loaded, 0 rules failed
[864 - Suricata-Main] 2023-10-28 02:04:14 Info: threshold-config: Threshold config parsed: 0 rule(s) found
[864 - Suricata-Main] 2023-10-28 02:04:15 Info: detect: 41736 signatures processed. 1497 are IP-only rules, 5391 are inspecting packet payload, 34641 inspect application layer, 108 are decoder event only
[864 - Suricata-Main] 2023-10-28 02:04:21 Info: af-packet: CLIENT: AF_PACKET IPS mode activated CLIENT->SERVER
[864 - Suricata-Main] 2023-10-28 02:04:21 Info: runmodes: CLIENT: creating 2 threads
[864 - Suricata-Main] 2023-10-28 02:04:22 Info: af-packet: SERVER: AF_PACKET IPS mode activated SERVER->CLIENT
[864 - Suricata-Main] 2023-10-28 02:04:22 Info: runmodes: SERVER: creating 2 threads
[867 - W#01-SERVER] 2023-10-28 02:04:22 Info: ioctl: SERVER: MTU 1500
[867 - W#01-SERVER] 2023-10-28 02:04:22 Info: ioctl: CLIENT: MTU 1500
[868 - W#02-SERVER] 2023-10-28 02:04:22 Info: ioctl: SERVER: MTU 1500
[868 - W#02-SERVER] 2023-10-28 02:04:22 Info: ioctl: CLIENT: MTU 1500
[864 - Suricata-Main] 2023-10-28 02:04:22 Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket'
[864 - Suricata-Main] 2023-10-28 02:04:22 Info: unix-manager: created socket directory /var/run/suricata/
[864 - Suricata-Main] 2023-10-28 02:04:22 Notice: threads: Threads created -> W: 4 FM: 1 FR: 1   Engine started.
[864 - Suricata-Main] 2023-10-28 02:06:06 Notice: suricata: Signal Received.  Stopping engine.
[864 - Suricata-Main] 2023-10-28 02:06:07 Info: suricata: time elapsed 105.439s
[864 - Suricata-Main] 2023-10-28 02:06:08 Info: counters: Alerts: 0
[864 - Suricata-Main] 2023-10-28 02:06:08 Notice: device: CLIENT: packets: 179, drops: 0 (0.00%), invalid chksum: 0
[864 - Suricata-Main] 2023-10-28 02:06:08 Notice: device: SERVER: packets: 108, drops: 0 (0.00%), invalid chksum: 0

And:

# cat /var/log/suricata/fast.log
#

And:

The eve.json file.

What is your opinion?

22

Looks like your traffic forwarding is not correct. In the eve.json we see some flow event types but just IPv6 link local and some udp traffic:

{
  "timestamp": "2023-10-28T02:05:48.137781-0400",
  "flow_id": 1962762743613568,
  "in_iface": "SERVER",
  "event_type": "flow",
  "src_ip": "192.168.1.2",
  "src_port": 63215,
  "dest_ip": "224.0.0.252",
  "dest_port": 5355,
  "proto": "UDP",
  "app_proto": "failed",
  "flow": {
    "pkts_toserver": 2,
    "pkts_toclient": 0,
    "bytes_toserver": 132,
    "bytes_toclient": 0,
    "start": "2023-10-28T02:05:10.653599-0400",
    "end": "2023-10-28T02:05:10.762605-0400",
    "age": 0,
    "state": "new",
    "reason": "timeout",
    "alerted": false
  }
}
{
  "timestamp": "2023-10-28T02:05:49.139061-0400",
  "flow_id": 1037102500911912,
  "in_iface": "SERVER",
  "event_type": "flow",
  "src_ip": "192.168.1.2",
  "src_port": 137,
  "dest_ip": "192.168.1.255",
  "dest_port": 137,
  "proto": "UDP",
  "app_proto": "failed",
  "flow": {
    "pkts_toserver": 34,
    "pkts_toclient": 0,
    "bytes_toserver": 3416,
    "bytes_toclient": 0,
    "start": "2023-10-28T02:04:59.962365-0400",
    "end": "2023-10-28T02:05:15.020741-0400",
    "age": 16,
    "state": "new",
    "reason": "timeout",
    "alerted": false
  }
}

Your ICMPv4 packets are not seen at all at Suricata. So check the cabling and outer network configuration.

1 Like
23

Hello,
Thank you so much for your reply.
I don’t use IPv6 and I don’t want to. Is IPv6 the cause of this problem?
Both client and server can ping Suricata-IDS server. My network configuration is what @ish said:

  • VM1 (Client)
    • One network adapter, “Internal Network” with name “client”
  • VM3 (Server)
    • One network adapter, “Internal Network” with name “server”
  • VM2 (IPS)
    • One network adapter, “Internal Network” with name “server”
    • One network adapter, “Internal Network” with name “client”

Note, there will be no external network access here. So you might want to get all the tools you need installed first, then setup the network.

Assign the interface on VM1 an address like 192.168.1.1/24.
Assign the interface on VM3 an address like 192.168.1.2/24.

Any idea welcomed.

24

Please note that in this configuration the client and the server machines should not be able to ping the IDS server as the IDS server should have no IP addresses.

Also note that I said this scenario does not work very well in a VM, at least I haven’t got it to work reliably. So you don’t know if you are working out issues in Suricata, or the VM networking.

1 Like
25

Hello,
Thank you so much for your reply.
I meant when the Suricata-IDS server’s NICs have an IP address, then both client and server can ping Suricata-IDS server.

Do you mean that my setup might be fine, but the problem is the setup in the virtual environment?

May I have a request? Can you run and test this virtual environment yourself to make sure that the problem is due to the virtual environment? This test can be useful for many Suricata-IDS users.

26

This isn’t really testing Suricata or the Suricata machine at all. This pair of interfaces forming the IPS should not have IP addresses, so should not be pingable.

The virtual environment, and your interfaces having IP addresses could both be problems.

I’ve done this, which is why I’m telling you that it is not good for testing this type of setup. The results are not reliable enough for any real testing. I’ve tried with KVM and VirtualBox.

1 Like
27

Hello,
Thanks again.
As you can see, Suricata-IDS server network cards do not have IP address. I gave temporary IP addresses to network cards just to test Suricata-IDS server communication with client and server.
I will do the same configuration on physical hardware and share the result here. I hope this post will not be closed by the admin until then.

29

Hello,
The problem was due to the use of virtual environment. The problem was solved.

Thank you.