Hi All,
Recently, I bought linux box with two NICs and configured L2 bridge box with ‘eth0’ and ‘eth1’.
/sbin/brctl addbr br0
/sbin/brctl addif br0 eth0
/sbin/brctl addif br0 eth1
/sbin/ifconfig eth0 0.0.0.0
/sbin/ifconfig eth1 0.0.0.0
/sbin/ifconfig br0 up
/sbin/ifconfig br0 192.168.100.200 netmask 255.255.255.0 up
Network diagram is ‘Router(with DHCP) <-> Bridged Linux Box <-> Laptop’ and all are worked fine.
I configured Suricata IPS with af-packet(eth0 and eth1) and Surcata well detected rules and left ‘drop’ logs.
However, Suricata could not block ‘drop’ rule packets actually and all traffics have passed well.
What’s wrong in Bridge Box?
How can I solve this problem?..
Please Help Me…
Thanks in advance.
Daniel.
FYI)
- suricata.yaml :
af-packet:
- interface: eth0
threads: 1
defrag: no
cluster-type: cluster_flow
cluster-id: 98
copy-mode: ips
copy-iface: eth1
buffer-size: 64535
use-mmap: yes - interface: eth1
threads: 1
cluster-id: 97
defrag: no
cluster-type: cluster_flow
copy-mode: ips
copy-iface: eth0
buffer-size: 64535
use-mmap: yes
-
suricata.log :
root@NanoPi-R1S-H5:~/conf# suricata -v -c ./suricata.yaml --af-packet
23/12/2022 – 09:49:45 - - This is Suricata version 5.0.10 RELEASE running in SYSTEM mode
23/12/2022 – 09:49:45 - - CPUs/cores online: 4
23/12/2022 – 09:49:45 - - Found an MTU of 1500 for ‘eth0’
23/12/2022 – 09:49:45 - - Found an MTU of 1500 for ‘eth0’
23/12/2022 – 09:49:45 - - Found an MTU of 1500 for ‘eth1’
23/12/2022 – 09:49:45 - - Found an MTU of 1500 for ‘eth1’
23/12/2022 – 09:49:45 - - AF_PACKET: Setting IPS mode
23/12/2022 – 09:49:45 - - fast output device (regular) initialized: fast.log
23/12/2022 – 09:49:45 - - eve-log output device (regular) initialized: eve.json
23/12/2022 – 09:49:45 - - stats output device (regular) initialized: stats.log
23/12/2022 – 09:49:45 - - Running in live mode, activating unix socket
23/12/2022 – 09:49:45 - - 1 rule files processed. 2 rules successfully loaded, 0 rules failed
23/12/2022 – 09:49:45 - - 2 signatures processed. 1 are IP-only rules, 0 are inspecting packet payload, 1 inspect application layer, 0 are decoder event only
23/12/2022 – 09:49:45 - - AF_PACKET IPS mode activated eth0->eth1
23/12/2022 – 09:49:45 - - Going to use 1 thread(s)
23/12/2022 – 09:49:45 - - AF_PACKET IPS mode activated eth1->eth0
23/12/2022 – 09:49:45 - - Going to use 1 thread(s)
23/12/2022 – 09:49:45 - - Found an MTU of 1500 for ‘eth1’
23/12/2022 – 09:49:45 - - Found an MTU of 1500 for ‘eth0’
23/12/2022 – 09:49:45 - - Running in live mode, activating unix socket
23/12/2022 – 09:49:45 - - Using unix socket file ‘/var/run/suricata/suricata-command.socket’
23/12/2022 – 09:49:45 - - all 2 packet processing threads, 4 management threads initialized, engine started.
23/12/2022 – 09:49:45 - - All AFP capture threads are running.
^C23/12/2022 – 09:49:51 - - Signal Received. Stopping engine.
23/12/2022 – 09:49:51 - - time elapsed 6.528s
23/12/2022 – 09:49:52 - - cleaning up signature grouping structure… complete
23/12/2022 – 09:49:52 - - Stats for ‘eth0’: pkts: 19, drop: 0 (0.00%), invalid chksum: 0
23/12/2022 – 09:49:52 - - Stats for ‘eth1’: pkts: 26, drop: 0 (0.00%), invalid chksum: 0 -
fast.log :
12/23/2022-09:31:20.827268 [Drop] [] [1:5000001:1] PING detected [] [Classification: (null)] [Priority: 3] {ICMP} 192.168.7.5:8 → 192.168.100.1:0
12/23/2022-09:36:43.154268 [Drop] [] [1:5000001:1] PING detected [] [Classification: (null)] [Priority: 3] {ICMP} 192.168.7.5:8 → 192.168.100.1:0
12/23/2022-09:36:48.868248 [Drop] [] [1:102120:1] Not Allowed HTTP domain [] [Classification: (null)] [Priority: 1] {TCP} 192.168.7.5:58261 → 117.52.45.206:80
12/23/2022-09:36:49.346620 [Drop] [] [1:102120:1] Not Allowed HTTP domain [] [Classification: (null)] [Priority: 1] {TCP} 192.168.7.5:58262 → 61.110.197.11:80
12/23/2022-09:36:49.347352 [Drop] [] [1:102120:1] Not Allowed HTTP domain [] [Classification: (null)] [Priority: 1] {TCP} 192.168.7.5:58263 → 61.110.197.11:80
12/23/2022-09:36:49.347629 [Drop] [] [1:102120:1] Not Allowed HTTP domain [] [Classification: (null)] [Priority: 1] {TCP} 192.168.7.5:58264 → 61.110.197.11:80
12/23/2022-09:36:49.350986 [Drop] [] [1:102120:1] Not Allowed HTTP domain [] [Classification: (null)] [Priority: 1] {TCP} 192.168.7.5:58265 → 61.110.197.11:80
12/23/2022-09:36:49.351398 [Drop] [] [1:102120:1] Not Allowed HTTP domain [] [Classification: (null)] [Priority: 1] {TCP} 192.168.7.5:58266 → 61.110.197.11:80