Suricata in af-packet mode: no Internet connection

Greetings!

I am running suricata-5.0.3 in af-packet mode but there is no internet connection at all while it is running. I am able to access web resource via socks/squid proxy but not otherwise.

System -
Linux flux 5.3.18-lp152.36-default #1 SMP Tue Aug 18 17:09:44 UTC 2020 (885251f) x86_64 x86_64 x86_64 GNU/Linux

suricata build info - suricata --build-info

suricata.yaml suricata.yaml

Relevant logs -

Sep 02 19:42:55 flux systemd[1]: Starting Suricata Intrusion Detection Service...
Sep 02 19:42:55 flux systemd[1]: Started Suricata Intrusion Detection Service.
Sep 02 19:42:55 flux suricata[28543]: 2/9/2020 -- 19:42:55 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
Sep 02 19:43:23 flux suricata[28543]: 2/9/2020 -- 19:43:23 - <Notice> - all 4 packet processing threads, 4 management threads initialized, engine started.
Sep 02 20:19:33 flux systemd[1]: Stopping Suricata Intrusion Detection Service...
Sep 02 20:19:33 flux suricata[28543]: 2/9/2020 -- 20:19:33 - <Notice> - Signal Received.  Stopping engine.
Sep 02 20:19:34 flux suricata[28543]: 2/9/2020 -- 20:19:34 - <Notice> - Stats for 'eth0':  pkts: 15820155, drop: 152 (0.00%), invalid chksum: 0
Sep 02 20:19:34 flux suricata[28543]: 2/9/2020 -- 20:19:34 - <Notice> - Stats for 'eth1':  pkts: 16524174, drop: 563 (0.00%), invalid chksum: 0
Sep 02 20:19:34 flux systemd[1]: Stopped Suricata Intrusion Detection Service.

Please help me fix this.

First of all I would recommend to not use profiling unless you really need to debug things.

There is only a minor drop rate but you could run Suricata without rules to make sure that no rule drop is the reason for that.

Is this a system in between your testing machine and the uplink?

1 Like

Good day to you. Thanks for the quick tip, I will disable profiling and recompile the binary.

Blockquote There is only a minor drop rate but you could run Suricata without rules to make sure that no rule drop is the reason for that.

I killed the process quickly, that is why the drop rate was low.

Blockquote Is this a system in between your testing machine and the uplink?

Yes, this system is behind OpenBSD PF firewall.

I managed to get pfring IPS mode running, it is functioning as expected -

`[Thu Sep 03 07:54:05 root@flux /usr/local/etc/suricata] 
# suricata -c suricata.yaml --pfring=eth0 --pfring=eth1 -v`

console stream - verbose output

There was no drop -

^C3/9/2020 -- 08:15:12 - <Notice> - Signal Received.  Stopping engine.
3/9/2020 -- 08:15:14 - <Info> - time elapsed 1225.552s
3/9/2020 -- 08:15:14 - <Info> - TLS logger logged 0 requests
3/9/2020 -- 08:15:14 - <Info> - (W#01-eth0) certificates extracted 0
3/9/2020 -- 08:15:14 - <Info> - TLS logger logged 0 requests
3/9/2020 -- 08:15:14 - <Info> - (W#02-eth0) certificates extracted 0
3/9/2020 -- 08:15:14 - <Info> - TLS logger logged 0 requests
3/9/2020 -- 08:15:14 - <Info> - (W#01-eth1) certificates extracted 0
3/9/2020 -- 08:15:14 - <Info> - TLS logger logged 0 requests
3/9/2020 -- 08:15:14 - <Info> - (W#02-eth1) certificates extracted 0
3/9/2020 -- 08:15:14 - <Info> - Alerts: 0
3/9/2020 -- 08:15:15 - <Info> - cleaning up signature grouping structure... complete
3/9/2020 -- 08:15:15 - <Notice> - Stats for 'eth0':  pkts: 12808, drop: 0 (0.00%), invalid chksum: 0
3/9/2020 -- 08:15:15 - <Notice> - Stats for 'eth1':  pkts: 258, drop: 0 (0.00%), invalid chksum: 0

I prefer --af-packet, on openSUSE; dkms sometimes fails to install pfring module. I am able to run zeek in --af-packet mode on same machine.

Please let me know if you have any more suggestions, I will follow.

Update: I am not getting any alerts in pfring mode.

I never tried PFRING IPS mode. So I think a solid first step is still to try a run with af_packet without any rules or at least no rules set to drop.

Greetings!

I disabled profiling and reinstalled suricata.

suricata --build-info

There is still no connectivity, only tor is working and I am able to access the forum.

As per your suggestions I disabled the rules and ran suricata with verbose flag.

Console stream - suricata verbose with rules disabled

The packet loss is not much but there is no connectivity at all. The firewalld isn’t blocking traffic

Please let me know if you need more information on this or want me to try something else.

UPDATE 1 - kernel is logging martian source journalctl
UPDATE 2 - network connectivity status

So you have your OpenBSD firewall at front on the WAN uplink and behin that is the linux system with suricata and behind that are the clients?

Can you sketch your setup a bit?

Also can you provide the ip a output on the linux machine? (feel free to censor private infos within there).

1 Like

Can you sketch your setup a bit?

The setup: ONT – OpenBSD Router – openSUSE + suricata – wired & wireless clients.

For testing purpose I connected suricata directly to ONT. I have setup two vlans for port mirroring in the ONT. Unfortunately the ONT is carrier locked, they do not provide any documentation. I am going to experiment with ONT and figure out ways to make it work or buy my own ONT or get a TAP device. I will post an update on the coming Tuesday.

network overview

UPDATE: I discovered the ONT screw-up on Saturday.

This raises some questions. You’re talking about a port mirror and a TAP, so passive traffic. This won’t match IPS mode.

Another point is that I see you have just eth0/eth1 and also with IPs configured. Keep in mind that ALL packets sent to eth0 will be copied to eth1 and sent out, this includes traffic that you want to send directly to the device (for example SSH for management).

How do you do the routing?

So overall I would challenge the setup passive traffic monitoring vs IPS mode as some sort of conflict.

Today I configured a OpenWrt router with port-mirroring to which suricata device connects. I am trying different options but none seem to work in af-packet ips/tap copy-mode. Zeek is working in af-packet mode on same setup.

The port-mirroring in OpenWrt is working as expected.

My default route is wlan0. You will find contradictory information coming from me since I am experimenting with different options and changing the hardware/network topology in the process.

As I said, port mirroring in combination with IPS mode doesn’t make much sense. In which mode did you run Zeek, IDS?

It’s hard to help when the setup is always changing.

Can you try to create a small diagram with IPs, networkports and how they’re connected and how the routing for the client is done?

1 Like

I will discard OpenWrt port-mirroring setup and fallback to OpenBSD firewall.

I am using zeek-af_packet-plugin

Let me go back to the original scenario of suricata running behind OpenBSD pf, get the new hardware; probably quad port PCIe ethernet adapter and see if it changes anything. I will report back in a couple of days, appreciate your patience. Thank you.

I just checked, if you ran Zeek it was only IDS mode since it is just passive. So if you want to have Suricata the same way like Zeek I would recommend to just use Suricata in AF_PACKET IDS mode and in that case it’s rather easy to run it on on interface where the mirrored traffic arrives.

I will like to learn IPS mode. I’ve used IDS for a while on OpenBSD. I am new to Linux and it is time to learn new things. I will get back with infrastructure detail latest by Thursday, please help me get it working.