Project

General

Profile

Actions

Bug #228

closed

Suricata can't drop or reject in bridge mode

Added by Joaquin Moreno about 11 years ago. Updated about 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hello,

i have problemas with Suricata when i use a bridge in Linux Debian Squeeze.

Configuration:

  1. brctl addbr br0
  2. brctl addif br0 eth1 eth2
  3. ifconfig br0 up
  4. ifconfig eth1 up
  5. ifconfig eth2 up
  6. iptables -A INPUT -j NFQUEUE --queue-num 0
  7. suricata -c suricata.yaml -l /var/log/suricata/ -q 0

With this rule suricata can log the alert:
alert tcp any any -> any 80 (msg:"/etc/passwd"; content:"/etc/passwd";
nocase; sid:9900005; rev:2;)

But when i change "alert" to "drop" or "reject", Suricata failure with error code: SC_ERR_LIBNET_WRIT.

If i enable the log in iptables:

  1. iptables -F
  2. iptables -A FORWARD -j LOG
  3. iptables -A INPUT -j NFQUEUE --queue-num 0
  4. suricata -c suricata.yaml -l /var/log/suricata/ -q 0

Iptables said this error:
[ 1675.365811] IN=br0 OUT=br0 PHYSIN=eth2 PHYSOUT=eth1 SRC=192.168.2.1 DST=192.168.2.104 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=24988
[2407] 2/1/2000 -- 02:45:36 - (respond-reject-libnet11.c:172) <Error> (RejectSendLibnet11L3IPv4TCP) -- [ERRCODE: SC_ERR_LIBNET_WRIT)

Suricata hunt the alert but it can't drop or reject the packet.

Thx you and sorry for my english :'(

Actions #1

Updated by Joaquin Moreno about 11 years ago

Sorry:
Is not INPUT, I use FORWARD:
"iptables -A INPUT -j NFQUEUE --queue-num 0" -> "iptables -A FORWARD -j NFQUEUE --queue-num 0"

Thx.

Actions #2

Updated by Victor Julien about 11 years ago

Are you sure you're getting the SC_ERR_LIBNET_WRIT error even with only "drop" rules? That would be strange as the reject code should not be activated in that case.

Actions #3

Updated by Joaquin Moreno about 11 years ago

Hello,

you're right, the error is only when the reject is enable, no drop. Sorry. The full errror with reject option is this:

[ 1675.365811] IN=br0 OUT=br0 PHYSIN=eth2 PHYSOUT=eth1 SRC=192.168.2.1 DST=192.168.2.104 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=24988
[7558] 2/1/2000 -- 18:24:52 - (respond-reject-libnet11.c:172) <Error> (RejectSendLibnet11L3IPv4TCP) -- [ERRCODE: SC_ERR_LIBNET_WRITE_FAILED(145)] - libnet_write failed: libnet)

Now, drop works in bridge mode if i change the iptables rule:
iptables -A FORWARD -j NFQUEUE --queue-num 0

For that rule:
iptables -A FORWARD -j NFQUEUE --queue-num 0 -m physdev --physdev-in eth2 --physdev-out eth1

It works now but only in one direction.

Now i am working for read in two directions but i can't do it.

PD: Next week i want to import private certificate web for read SSL sesions(it's posible?)

Actions #4

Updated by Pablo Rincon about 11 years ago

Hi Joaquin.

As far as I know suricata cannot read ssl session (even with the certificate). If you find a way to inject decrypted traffic temporarily to an interface/nfqueue, then you can inspect it as normal. But suricata doesn't decrypt ssl sessions itself. Anyway, if you find a way to do it, please, share it here ;)

Regarding to directions, if you specify --physdev-in eth2 --physdev-out eth1 it will only work from eth2 to eth1. I'm not familiar to nfqueue, but what about specifying
iptables -A FORWARD -j NFQUEUE --queue-num 0 -i br0
Does it work?

Actions #5

Updated by Victor Julien about 11 years ago

  • Status changed from New to Closed

Assuming fixed. Please reopen if it isn't.

Actions

Also available in: Atom PDF