Suricata

Can you say a bit more about how the bridge is set up and how Suricata interacts with it? Please attach config files and/or commands.

Here is the complete command followed by me:
$ sudo apt-get install bridge-utils
$ sudo brctl addbr br0
$ sudo brctl addif br0 eth1
$ sudo brctl addif br0 eth2
$ sudo ifconfig eth1 0.0.0.0
$ sudo ifconfig eth2 0.0.0.0
$ sudo ifconfig br0 up

sudo apt-get install python-software-properties

sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install suricata

Rule for Emerging Threats

$ cd /etc/suricata
$ sudo wget https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz
$ sudo tar -xzf emerging.rules.tar.gz
$ sudo mkdir /var/log/suricata
$ sudo touch /etc/suricata/threshold.config

1. a line based information for dropped packets in IPS mode
   - drop:
   - enabled: no
   + enabled: yes
   filename: drop.log
   append: yes

Now test with DROP packets and IPS mode. Right drop rule first.
$ sudo iptables -I FORWARD -j NFQUEUE

$ sudo iptables -A FORWARD -m physdev --physdev-in eth1
$ sudo iptables -A FORWARD -m physdev --physdev-in eth2

sudo suricata -c /etc/suricata/suricata.yaml -q 0

$ ls -al /var/log/suricata/
cat /var/log/suricata/fast.log

Let me know if you need more information.

Thanks in advance.

Regards
Mustaque

Sadly bridge+nfqueue has never worked well. If you need a brige I'd advice you to look at afpacket in bridge mode.

We are talking to the netfilter project about ways to improve things, but for now don't mix bridge and nfqueue.

See also #2135.

I have also updated Known_Issues

Thanks Victor for the information. That setup was working for long time in my environment. Could you also provide the documentation look at afpacket in bridge mode. Also any recommendation on bypass switch? Thanks in advance.

Regards,
Mustaque

Are you truly bridging or brouting ?

if truly brifging make sure you have those:

net.bridge.bridge-nf-call-arptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-filter-pppoe-tagged=1
net.bridge.bridge-nf-filter-vlan-tagged=1
net.bridge.bridge-nf-pass-vlan-input-dev=1

1. We are not forwarding we are bridging !
   net.ipv4.ip_forward=0

you can also test with :

ebtables -t broute -A BROUTING -p ipv4 -j ACCEPT
ebtables -t broute -A BROUTING ! -p ipv4 -j ACCEPT

Those will make sure all packets are bridge.

also check https://redmine.openinfosecfoundation.org/issues/2135

ok great. Thanks for the information Felipe. My Setup which i mentioned above is working since 6 month now. My initial query is still unanswered on bypass unit. Also is there a script I can use which can keep checking the Suricata PID and restart the process if it fails?

Thanks and Regards,
Mustaque

Have you tried ?

In you suricata.service add :
[Service]
Restart=on-failure

In your iptables rule that send trafic to suricata:
-j NFQUEUE --queue-bypass

In your suricata.yaml, in the "detect" section make sure you have :
delayed-detect: yes

With this trafic should never be interupted...

F.

Hi Felipe,

Much appreciate your information and detail. I will check that configuration change on my environment. One last query does Suricata support trunking?

Thanks and Regards,
Mustaque