Bug #228
closed
Suricata can't drop or reject in bridge mode
Added by Joaquin Moreno over 13 years ago.
Updated over 13 years ago.
Description
Hello,
i have problemas with Suricata when i use a bridge in Linux Debian Squeeze.
Configuration:
- brctl addbr br0
- brctl addif br0 eth1 eth2
- ifconfig br0 up
- ifconfig eth1 up
- ifconfig eth2 up
- iptables -A INPUT -j NFQUEUE --queue-num 0
- suricata -c suricata.yaml -l /var/log/suricata/ -q 0
With this rule suricata can log the alert:
alert tcp any any -> any 80 (msg:"/etc/passwd"; content:"/etc/passwd";
nocase; sid:9900005; rev:2;)
But when i change "alert" to "drop" or "reject", Suricata failure with error code: SC_ERR_LIBNET_WRIT.
If i enable the log in iptables:
- iptables -F
- iptables -A FORWARD -j LOG
- iptables -A INPUT -j NFQUEUE --queue-num 0
- suricata -c suricata.yaml -l /var/log/suricata/ -q 0
Iptables said this error:
[ 1675.365811] IN=br0 OUT=br0 PHYSIN=eth2 PHYSOUT=eth1 SRC=192.168.2.1 DST=192.168.2.104 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=24988
[2407] 2/1/2000 -- 02:45:36 - (respond-reject-libnet11.c:172) <Error> (RejectSendLibnet11L3IPv4TCP) -- [ERRCODE: SC_ERR_LIBNET_WRIT)
Suricata hunt the alert but it can't drop or reject the packet.
Thx you and sorry for my english :'(
Sorry:
Is not INPUT, I use FORWARD:
"iptables -A INPUT -j NFQUEUE --queue-num 0" -> "iptables -A FORWARD -j NFQUEUE --queue-num 0"
Thx.
Are you sure you're getting the SC_ERR_LIBNET_WRIT error even with only "drop" rules? That would be strange as the reject code should not be activated in that case.
Hello,
you're right, the error is only when the reject is enable, no drop. Sorry. The full errror with reject option is this:
[ 1675.365811] IN=br0 OUT=br0 PHYSIN=eth2 PHYSOUT=eth1 SRC=192.168.2.1 DST=192.168.2.104 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=24988
[7558] 2/1/2000 -- 18:24:52 - (respond-reject-libnet11.c:172) <Error> (RejectSendLibnet11L3IPv4TCP) -- [ERRCODE: SC_ERR_LIBNET_WRITE_FAILED(145)] - libnet_write failed: libnet)
Now, drop works in bridge mode if i change the iptables rule:
iptables -A FORWARD -j NFQUEUE --queue-num 0
For that rule:
iptables -A FORWARD -j NFQUEUE --queue-num 0 -m physdev --physdev-in eth2 --physdev-out eth1
It works now but only in one direction.
Now i am working for read in two directions but i can't do it.
PD: Next week i want to import private certificate web for read SSL sesions(it's posible?)
Hi Joaquin.
As far as I know suricata cannot read ssl session (even with the certificate). If you find a way to inject decrypted traffic temporarily to an interface/nfqueue, then you can inspect it as normal. But suricata doesn't decrypt ssl sessions itself. Anyway, if you find a way to do it, please, share it here ;)
Regarding to directions, if you specify --physdev-in eth2 --physdev-out eth1 it will only work from eth2 to eth1. I'm not familiar to nfqueue, but what about specifying
iptables -A FORWARD -j NFQUEUE --queue-num 0 -i br0
Does it work?
- Status changed from New to Closed
Assuming fixed. Please reopen if it isn't.
Also available in: Atom
PDF