Suricata in af-packet mode: no Internet connection

flux · September 3, 2020, 3:27am

Greetings!

I am running suricata-5.0.3 in af-packet mode but there is no internet connection at all while it is running. I am able to access web resource via socks/squid proxy but not otherwise.

System -
Linux flux 5.3.18-lp152.36-default #1 SMP Tue Aug 18 17:09:44 UTC 2020 (885251f) x86_64 x86_64 x86_64 GNU/Linux

suricata build info - suricata --build-info

suricata.yaml suricata.yaml

Relevant logs -

Sep 02 19:42:55 flux systemd[1]: Starting Suricata Intrusion Detection Service...
Sep 02 19:42:55 flux systemd[1]: Started Suricata Intrusion Detection Service.
Sep 02 19:42:55 flux suricata[28543]: 2/9/2020 -- 19:42:55 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
Sep 02 19:43:23 flux suricata[28543]: 2/9/2020 -- 19:43:23 - <Notice> - all 4 packet processing threads, 4 management threads initialized, engine started.
Sep 02 20:19:33 flux systemd[1]: Stopping Suricata Intrusion Detection Service...
Sep 02 20:19:33 flux suricata[28543]: 2/9/2020 -- 20:19:33 - <Notice> - Signal Received.  Stopping engine.
Sep 02 20:19:34 flux suricata[28543]: 2/9/2020 -- 20:19:34 - <Notice> - Stats for 'eth0':  pkts: 15820155, drop: 152 (0.00%), invalid chksum: 0
Sep 02 20:19:34 flux suricata[28543]: 2/9/2020 -- 20:19:34 - <Notice> - Stats for 'eth1':  pkts: 16524174, drop: 563 (0.00%), invalid chksum: 0
Sep 02 20:19:34 flux systemd[1]: Stopped Suricata Intrusion Detection Service.

Please help me fix this.

Andreas_Herz · September 3, 2020, 6:32am

First of all I would recommend to not use profiling unless you really need to debug things.

There is only a minor drop rate but you could run Suricata without rules to make sure that no rule drop is the reason for that.

Is this a system in between your testing machine and the uplink?

flux · September 3, 2020, 3:21pm

Good day to you. Thanks for the quick tip, I will disable profiling and recompile the binary.

Blockquote There is only a minor drop rate but you could run Suricata without rules to make sure that no rule drop is the reason for that.

I killed the process quickly, that is why the drop rate was low.

Blockquote Is this a system in between your testing machine and the uplink?

Yes, this system is behind OpenBSD PF firewall.

I managed to get pfring IPS mode running, it is functioning as expected -

`[Thu Sep 03 07:54:05 root@flux /usr/local/etc/suricata] 
# suricata -c suricata.yaml --pfring=eth0 --pfring=eth1 -v`

console stream - verbose output

There was no drop -

^C3/9/2020 -- 08:15:12 - <Notice> - Signal Received.  Stopping engine.
3/9/2020 -- 08:15:14 - <Info> - time elapsed 1225.552s
3/9/2020 -- 08:15:14 - <Info> - TLS logger logged 0 requests
3/9/2020 -- 08:15:14 - <Info> - (W#01-eth0) certificates extracted 0
3/9/2020 -- 08:15:14 - <Info> - TLS logger logged 0 requests
3/9/2020 -- 08:15:14 - <Info> - (W#02-eth0) certificates extracted 0
3/9/2020 -- 08:15:14 - <Info> - TLS logger logged 0 requests
3/9/2020 -- 08:15:14 - <Info> - (W#01-eth1) certificates extracted 0
3/9/2020 -- 08:15:14 - <Info> - TLS logger logged 0 requests
3/9/2020 -- 08:15:14 - <Info> - (W#02-eth1) certificates extracted 0
3/9/2020 -- 08:15:14 - <Info> - Alerts: 0
3/9/2020 -- 08:15:15 - <Info> - cleaning up signature grouping structure... complete
3/9/2020 -- 08:15:15 - <Notice> - Stats for 'eth0':  pkts: 12808, drop: 0 (0.00%), invalid chksum: 0
3/9/2020 -- 08:15:15 - <Notice> - Stats for 'eth1':  pkts: 258, drop: 0 (0.00%), invalid chksum: 0

I prefer --af-packet, on openSUSE; dkms sometimes fails to install pfring module. I am able to run zeek in --af-packet mode on same machine.

Please let me know if you have any more suggestions, I will follow.

Update: I am not getting any alerts in pfring mode.

Andreas_Herz · September 3, 2020, 7:50pm

I never tried PFRING IPS mode. So I think a solid first step is still to try a run with af_packet without any rules or at least no rules set to drop.

flux · September 4, 2020, 4:45pm

Greetings!

I disabled profiling and reinstalled suricata.

suricata --build-info

There is still no connectivity, only tor is working and I am able to access the forum.

As per your suggestions I disabled the rules and ran suricata with verbose flag.

Console stream - suricata verbose with rules disabled

The packet loss is not much but there is no connectivity at all. The firewalld isn’t blocking traffic

Please let me know if you need more information on this or want me to try something else.

UPDATE 1 - kernel is logging martian source journalctl
UPDATE 2 - network connectivity status

Andreas_Herz · September 5, 2020, 7:57pm

So you have your OpenBSD firewall at front on the WAN uplink and behin that is the linux system with suricata and behind that are the clients?

Can you sketch your setup a bit?

Also can you provide the ip a output on the linux machine? (feel free to censor private infos within there).

flux · September 6, 2020, 5:28am

Can you sketch your setup a bit?

The setup: ONT – OpenBSD Router – openSUSE + suricata – wired & wireless clients.

For testing purpose I connected suricata directly to ONT. I have setup two vlans for port mirroring in the ONT. Unfortunately the ONT is carrier locked, they do not provide any documentation. I am going to experiment with ONT and figure out ways to make it work or buy my own ONT or get a TAP device. I will post an update on the coming Tuesday.

network overview

UPDATE: I discovered the ONT screw-up on Saturday.

Andreas_Herz · September 7, 2020, 10:11pm

This raises some questions. You’re talking about a port mirror and a TAP, so passive traffic. This won’t match IPS mode.

Another point is that I see you have just eth0/eth1 and also with IPs configured. Keep in mind that ALL packets sent to eth0 will be copied to eth1 and sent out, this includes traffic that you want to send directly to the device (for example SSH for management).

How do you do the routing?

So overall I would challenge the setup passive traffic monitoring vs IPS mode as some sort of conflict.

flux · September 8, 2020, 6:06am

Today I configured a OpenWrt router with port-mirroring to which suricata device connects. I am trying different options but none seem to work in af-packet ips/tap copy-mode. Zeek is working in af-packet mode on same setup.

The port-mirroring in OpenWrt is working as expected.

My default route is wlan0. You will find contradictory information coming from me since I am experimenting with different options and changing the hardware/network topology in the process.

Andreas_Herz · September 8, 2020, 6:49am

As I said, port mirroring in combination with IPS mode doesn’t make much sense. In which mode did you run Zeek, IDS?

It’s hard to help when the setup is always changing.

Can you try to create a small diagram with IPs, networkports and how they’re connected and how the routing for the client is done?

flux · September 8, 2020, 11:11am

I will discard OpenWrt port-mirroring setup and fallback to OpenBSD firewall.

I am using zeek-af_packet-plugin

Let me go back to the original scenario of suricata running behind OpenBSD pf, get the new hardware; probably quad port PCIe ethernet adapter and see if it changes anything. I will report back in a couple of days, appreciate your patience. Thank you.

Andreas_Herz · September 8, 2020, 12:30pm

I just checked, if you ran Zeek it was only IDS mode since it is just passive. So if you want to have Suricata the same way like Zeek I would recommend to just use Suricata in AF_PACKET IDS mode and in that case it’s rather easy to run it on on interface where the mirrored traffic arrives.

flux · September 8, 2020, 12:54pm

I will like to learn IPS mode. I’ve used IDS for a while on OpenBSD. I am new to Linux and it is time to learn new things. I will get back with infrastructure detail latest by Thursday, please help me get it working.

flux · September 20, 2020, 4:08pm

My issue is sorted after adding Intel dual lan PCI adapter and not assigning IP to it.

Network

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:1a:64:92:13:18 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether 2a:3c:0a:6d:4e:07 brd ff:ff:ff:ff:ff:ff
4: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 74:d0:2b:2b:1a:42 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.25/24 brd 192.168.0.255 scope global eth1
       valid_lft forever preferred_lft forever
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:1a:64:92:13:19 brd ff:ff:ff:ff:ff:ff

My network flow
ONT/Modem – Suricata (IPS) – OpenWrt router (connected to wan port)

Should I connect to LAN port on OpenWrt or let it stay connected to WAN?

I apologize for the late update but the Amazon vendor sent me PCI-X card instead of PCIe, I was expecting a quick replacement but it didn’t work out that way. I’ve installed PCI-X in PCI 2.0 slot for now and configured the suricata. In this situation I can not test suricata with netmap or PF_RING.

Topic		Replies	Views
No connection while IPS mode running Help ips	5	429	April 2, 2023
Af_packet IPS mode on centos8 or Rocky8 Help ips , centos	3	1115	December 20, 2021
Suricata af-packet ips Help ips	1	524	January 17, 2023
Need help with Suricata IPS Setup Help	1	807	September 13, 2021
Running Suricata IPS AF-Packet in docker container Help ips , rules , docker , suricata	3	2605	July 13, 2023

Suricata in af-packet mode: no Internet connection

Related Topics