Suricata

Can you upgrade to the stable release (currently 4.0.5) and try again? 3.x is no longer supported.

Victor Julien wrote:

Can you upgrade to the stable release (currently 4.0.5) and try again? 3.x is no longer supported.

Latest releases do not block either. It seems that the bug was introduced in 4474889667d664a66c1c123f4f7d2756e8a7fbb9: live devices list is created too late and AFPRunModeIsIPS() failes 'cause LiveGetDeviceCount() returns 0. The whole thing is called before LiveDeviceFinalize().

Alexander Gozman wrote:

Victor Julien wrote:

Can you upgrade to the stable release (currently 4.0.5) and try again? 3.x is no longer supported.

Latest releases do not block either. It seems that the bug was introduced in 4474889667d664a66c1c123f4f7d2756e8a7fbb9: live devices list is created too late and AFPRunModeIsIPS() failes 'cause LiveGetDeviceCount() returns 0. The whole thing is called before LiveDeviceFinalize().

Sorry, I've meant latest version (from git).

• the interfaces should have no IP
• no operating system bridge should be setup

From what you are writing you are seeing packet on FORWARD chain of iptables meaning that the operating system is "routing" the packet. This is not the way to do, Suricata is in charge of getting packet from one interface and copy it to the other interface.

Victor Julien wrote:

Can you upgrade to the stable release (currently 4.0.5) and try again? 3.x is no longer supported.

Thank you for your answers.
I will definitely try the new version.
BUT!

It surprises me.
I'm using the latest version of Debian and its stable repository.

1. lsb_release -a
   No LSB modules are available.
   Distributor ID: Debian
   Description: Debian GNU/Linux 9.4 (stretch)
   Release: 9.4
   Codename: stretch

1. uname -a
   Linux suricata 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64 GNU/Linux

Put this package from a stable repository using apt.

1. cat /etc/apt/sources.list

deb http://ftp.ru.debian.org/debian/ stretch main
deb-src http://ftp.ru.debian.org/debian/ stretch main

deb http://security.debian.org/debian-security stretch/updates main contrib
deb-src http://security.debian.org/debian-security stretch/updates main contrib

1. stretch-updates, previously known as 'volatile'
   deb http://ftp.ru.debian.org/debian/ stretch-updates main contrib
   deb-src http://ftp.ru.debian.org/debian/ stretch-updates main contrib

After installation, the marijuana works by default in af_packet.

Are you sure there is a bug in this version?

Eric Leblond wrote:

I'm not sure I understand your setup. In AF_PACKET IPS mode:

• the interfaces should have no IP
• no operating system bridge should be setup

From what you are writing you are seeing packet on FORWARD chain of iptables meaning that the operating system is "routing" the packet. This is not the way to do, Suricata is in charge of getting packet from one interface and copy it to the other interface.

1. iptables -L
   Chain INPUT (policy ACCEPT)
   target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

1. iptables -t mangle -L
   Chain PREROUTING (policy ACCEPT)
   target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

1. iptables -t nat -L
   Chain PREROUTING (policy ACCEPT)
   target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

cat /proc/sys/net/ipv4/ip_forward
1

If ip_forward = 0, then neither the system, nor the suricata does not transmit traffic!

"Suricata is in charge of getting packet from one interface and copy it to the other interface." - I understand this perfectly.

"the interfaces should have no IP" - At what level of the OSI model should I interact with this design? How should I transfer and receive traffic from the suricata?
Where can you read about it. Thank you.

ifconfig eth0 217.100.100.100/32 up
ifconfig eth1 192.168.1.1/25

In AF_PACKET IPS mode, we have a layer 2 bridge so you can't have 2 interfaces with different network attached. A typical setup will be:
[Clients Network (192.168.1.0/24)] -- [eth1 - Suricata - eth0] -- [ ethX (192.168.1.1) - Gateway - ethN (Public IP)]

So the hosts in the clients, really speak with the gateway and the Suricata box is completely transparent.

Eric Leblond wrote:

In AF_PACKET IPS mode, we have a layer 2 bridge so you can't have 2 interfaces with different network attached. A typical setup will be:
[Clients Network (192.168.1.0/24)] -- [eth1 - Suricata - eth0] -- [ ethX (192.168.1.1) - Gateway - ethN (Public IP)]

So the hosts in the clients, really speak with the gateway and the Suricata box is completely transparent.

traffic arrives on ethN (Public IP), as it is transmitted to this one ??
According to the concept of the AXI model and traffic forwarding, packets will run immediately from ethN (Public IP) to ethX (192.168.1.1). So the bridge is needed between ethN (Public IP) <-> eth0 and eth1 <-> ethX (192.168.1.1)
Where is all this written about?

PS I created ifconfig eth0 217.100.100.100 up && ifconfig eth1 0 up && ifconfig eth2 0 up && ifconfig eth3 192.168.34.0/24 up.
Changed file file /etc/suricata/suricata.yaml
...
af-packet:
- interface: eth0
threads: 1
defrag: yes
cluster-type: cluster_flow
cluster-id: 98
copy-mode: ips
copy-iface: eth1
buffer-size: 64535
use-mmap: yes
- interface: eth1
threads: 1
cluster-id: 97
defrag: yes
cluster-type: cluster_flow
copy-mode: ips
copy-iface: eth0
buffer-size: 64535
use-mmap: yes
....
Traffic is not blocked. With the interface eth3, banned traffic goes away.

Sorry/ Changed file file /etc/suricata/suricata.yaml
...
af-packet:
- interface: eth1
threads: 1
defrag: yes
cluster-type: cluster_flow
cluster-id: 98
copy-mode: ips
copy-iface: eth2
buffer-size: 64535
use-mmap: yes
- interface: eth2
threads: 1
cluster-id: 97
defrag: yes
cluster-type: cluster_flow
copy-mode: ips
copy-iface: eth1
buffer-size: 64535
use-mmap: yes

Traffic is not blocked. With the interface eth3, banned traffic goes away.

And sorry///
" concept of the AXI model" -> concept of the OSI model :)))) translator failed

Please help me figure it out !!

I assume the last picture was posted by mistake, so I've removed it.

If you're using Suricata in IPS mode with AF_PACKET, Suricata will be a L2 bridge. Iptables won't be involved and the interfaces should not have IPaddresses.

Alternatively, you can run a routing IPS with Suricata. In this case you do assign IPaddreses, you do use iptables and you run Suricata with NFQ instead of AF_PACKET.