Project

General

Profile

Actions
Copy link

Support #3377

closed

AF_Packet IPS Mode is not Dropping Traffic

Added by Taylor Walton over 4 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Taylor Walton
Affected Versions:
4.1.5
Label:

Description

Hey Team,

I am currently running Suricata 4.1.5 inline in AF_Packet mode. I have the engine running in IPS mode, but I am still seeing traffic get through.

I am currently running in AF_Packet mode with details shown below:

[root@us4suricata1 ~]# suricata --dump-config | grep af.packet
af-packet = (null)
af-packet.0 = interface
af-packet.0.interface = em2
af-packet.0.threads = auto
af-packet.0.cluster-id = 99
af-packet.0.cluster-type = cluster_flow
af-packet.0.defrag = no
af-packet.0.use-mmap = yes
af-packet.0.mmap-locked = yes
af-packet.0.ring-size = 20000
af-packet.0.copy-mode = ips
af-packet.0.copy-iface = em1
af-packet.1 = interface
af-packet.1.interface = em1
af-packet.1.threads = auto
af-packet.1.cluster-id = 98
af-packet.1.cluster-type = cluster_flow
af-packet.1.defrag = no
af-packet.1.use-mmap = yes
af-packet.1.ring-size = 20000
af-packet.1.copy-mode = ips
af-packet.1.copy-iface = em2
af-packet.2 = interface
af-packet.2.interface = default

[root@us4suricata1 ~]# suricata --dump-config | grep stream
outputs.7.pcap-log.use-stream-depth = no
app-layer.protocols.modbus.stream-depth = 0
stream = (null)
stream.memcap = 64mb
stream.checksum-validation = yes
stream.inline = yes
stream.reassembly = (null)
stream.reassembly.memcap = 256mb
stream.reassembly.depth = 1mb

With the copy-mode set to ips and the stream.inline option set to yes, I would expect Suricata to be dropping alerts marked as "drop". However, the traffic is still passing through. Suricata is recognizing that packets should be dropped, as shown in the drop.log and eve.json alerts (I have attached screenshots). I can re trigger this alert by navigating to check.torproject.org in a web browser on my host machine, and even though Suricata is reporting the alert as "blocked", I can still hit the web server (I opened in a private browser to ensure the website was not cached). I also see an entry hit the drop.log file.

I used the command "suricata -c /etc/suricata/suricata.yaml --af-packet" to start the engine.

I have also attached my suricata.yaml file hoping that can provide any more detail to you guys.

Any help would be greatly appreciated as I have been left scratching my head for the last few days trying to figure out why traffic is not actually being dropped even though Suricata thinks it is.

Thank you for the help in advance and for you guys continuous deployment of this great tool!

Best Regards,

Taylor

Files

Download all files
eve_json_blocked.PNG (61.5 KB) eve_json_blocked.PNG eve.json Taylor Walton, 12/03/2019 04:36 PM
drop_log.PNG (13.8 KB) drop_log.PNG drop.log Taylor Walton, 12/03/2019 04:41 PM
suricata.yaml (72.6 KB) suricata.yaml suricata.yaml Taylor Walton, 12/03/2019 04:46 PM
interfaces.PNG (35.2 KB) interfaces.PNG Taylor Walton, 12/06/2019 10:52 PM
Actions
Copy link

Also available in: Atom PDF