Hi all,
I’m trying to setup suricata with AWS traffic mirroring. The mirroring part works as I can see the mirrored packets arriving on the interface of the target ec2 instance. Note that suricata in this instance is a out-of-the-box ubuntu installation.
tcpdump -nnni eth0 udp port 4789 - shows the traffic arriving on the interface
I tried creating a virtual interface as I had seen that mentioned in a few places:
ip link add vxlan0 type vxlan id 12345 dev eth0 dstport 4789
• ip link set vxlan0 up
I can see the same mirrored traffic arriving on that interface, however suricata seems to ignore it. What settings are required for suricata to work with mirrored traffic?
which version of Suricata are you running exactly? I would recommend using the PPA since the only Suricata I’ve seen in Ubuntu is in 18.04 and that’s 3.2 which is EOL for a long time and doesn’t support VXLAN.
With a more recent version VXLAN support is builtin, you just need to ensure the VXLAN_PORT value is set correct, which it should by default.
Hi Peter,
I did notice that the mirror source had an mtu of 9001 (ec2 instance) but the destination had an mtu of 1500. I recreated the destination with a different instance type and adjusted the source mtu as per the documentation:
For example, if an 8996 byte packet is mirrored, and the traffic mirror target MTU value is 9001 bytes,
the mirror encapsulation results in the mirrored packet being greater than the MTU value. In this case,
the mirror packet is truncated. To prevent mirror packets from being truncated, set the traffic mirror
source interface MTU value to 54 bytes less than the traffic mirror target MTU value for IPv4 and 74
bytes less than the traffic mirror target MTU value when you use IPv6. Therefore, the maximum MTU
value supported by Traffic Mirroring with no packet truncation is 8947 bytes