Suricata in AF_PACKET mode creates an inifinite loop

Nimrod_Shneor · May 4, 2023, 9:00am

I have the following configuration of suricata in af packet for two vNICs named idps0 and idps1 respectively:

af-packet:
  - interface: idps0
    threads: 1
    defrag: yes
    cluster-type: cluster_flow
    cluster-id: 98
    copy-mode: tap
    copy-iface: idps1
    buffer-size: 64535
    use-mmap: yes
  - interface: idps1
    threads: 1
    cluster-id: 97
    defrag: yes
    cluster-type: cluster_flow
    copy-mode: tap
    copy-iface: idps0
    buffer-size: 64535
    use-mmap: yes

However this symmetric configuration creates an infinite loop of packets between the NICs. When I tried to remove the copy-iface variable from the second interface or the entry of the second interface altogether Suricata fails with error: Some IPS capture threads did not peer.

Can someone please help?

vjulien · May 6, 2023, 10:44am

How are the vNICs configured and what is their position in your network?

Nimrod_Shneor · May 7, 2023, 6:31am

They are created as a “dummy” vnic inside the host running suricata i.e.:
ip link add idps0 type dummy
ip link set idps0 up

I am running suricata using the following cmd:

 sudo suricata -c suricata.yaml -s /opt/azfw/etc/suricata/rules/allrules.rules --af-packet

ish · May 7, 2023, 6:42am

Linux dummy interfaces are interesting. I’ve tried them for “virtual” IPS testing, but every packet “injected” into them appears to be received and transmitted by the interface, making them not very useful for anything but light testing, and not for production use.

So I’m going to guess that is the source of your infinite loop.

Some thoughts:

Dummy interfaces simply are suitable for this…
OR… Something like af-packet: Ignore outgoing packets on loopback interfaces - v3 by awelzel · Pull Request #8778 · OISF/suricata · GitHub maybe could be applied to dummy interfaces. Emphasis on maybe…

Nimrod_Shneor · November 2, 2023, 7:10am

@ish Have you heard or tried running suricata in af-packet mode on dummy interfaces in production?

I am considering some architecture that uses this option in order to alleviate the following known bug: Suricata behind proxy server - #8 by Knight (Suricata behined proxy)…

ish · November 2, 2023, 2:38pm

No, and I’m not sure how useful they would be. As mentioned above, the dummy interfaces have an echo effect limiting their use in IPS setups. They are fine for replaying traffic into and monitoring in IDS mode, but I haven’t been able to make much use of them for testing IPS modes.