Project

General

Profile

Actions
Copy link

Support #3456

closed

AF_PACKET in IPS Mode Drop GRE

Added by Denis Stepanov about 4 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
5.0.0
Label:

Description

Hey Team,
I have a some misunderstanding such Suricata behavior purpose. In IPS mode, which use AF_PACKET Suricata drops some GRE packet.
How I can do, so that Suricata will ignore and bypass GRE traffic in IPS mode?

drop.log:

02/06/2020-11:08:39.354518: IN= OUT= SRC=<src_ip> DST=<dest_ip> LEN=64 TOS=0x00 TTL=253 ID=51883 PROTO=GRE Unknown protocol
02/06/2020-11:08:41.757095: IN= OUT= SRC=<src_ip> DST=<dest_ip> LEN=64 TOS=0x00 TTL=253 ID=57167 PROTO=GRE Unknown protocol
02/06/2020-11:08:42.891276: IN= OUT= SRC=<src_ip> DST=<dest_ip> LEN=64 TOS=0x00 TTL=253 ID=59688 PROTO=GRE Unknown protocol
02/06/2020-11:08:45.069087: IN= OUT= SRC=<src_ip> DST=<dest_ip> LEN=64 TOS=0x00 TTL=253 ID=64274 PROTO=GRE Unknown protocol
02/06/2020-11:08:47.539530: IN= OUT= SRC=<src_ip> DST=<dest_ip> LEN=64 TOS=0x00 TTL=253 ID=3785 PROTO=GRE Unknown protocol

Actions
Copy link
 #1

Updated by Victor Julien about 4 years ago

For IPS mode you probably should look at 'pass' rules for that: https://suricata.readthedocs.io/en/suricata-5.0.1/performance/ignoring-traffic.html#pass-rules

Actions
Copy link
 #2

Updated by Denis Stepanov about 4 years ago

Thank you for quick answer. Yes, it's nice solution, but I faced with problem by adding bypass keyword in rule - segfault, like observed here https://redmine.openinfosecfoundation.org/issues/2953.
I have Suricata 5.0.0-dev (rev 69d0d484e), and will try to upgrade to 5.0.1.

For example, rule

alert ip any any <> any any (msg:"pass all service traffic GRE"; sid:1000002;ip_proto 47;noalert;bypass;)

Segfault message:
[1672076.320163] W#02-ens192[23770]: segfault at 40 ip 0000561353bee7c8 sp 00007f57f50e3560 error 4 in suricata[561353b57000+47f000]

Actions
Copy link
 #3

Updated by Peter Manev about 4 years ago

Just as a follow up. The rule above is missing ":" after "ip_proto".

Out of curiosity is the result the same with the following rule and latest git :

pass ip any any <> any any (msg:"pass all service traffic GRE"; sid:1000002;ip_proto: 47;noalert;bypass;)

Actions
Copy link
 #4

Updated by Andreas Herz over 3 years ago

  • Status changed from New to Closed

Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs

Actions
Copy link

Also available in: Atom PDF