Project

General

Profile

Actions
Copy link

Support #3456

closed

AF_PACKET in IPS Mode Drop GRE

Added by Denis Stepanov about 4 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
5.0.0
Label:

Description

Hey Team,
I have a some misunderstanding such Suricata behavior purpose. In IPS mode, which use AF_PACKET Suricata drops some GRE packet.
How I can do, so that Suricata will ignore and bypass GRE traffic in IPS mode?

drop.log:

02/06/2020-11:08:39.354518: IN= OUT= SRC=<src_ip> DST=<dest_ip> LEN=64 TOS=0x00 TTL=253 ID=51883 PROTO=GRE Unknown protocol
02/06/2020-11:08:41.757095: IN= OUT= SRC=<src_ip> DST=<dest_ip> LEN=64 TOS=0x00 TTL=253 ID=57167 PROTO=GRE Unknown protocol
02/06/2020-11:08:42.891276: IN= OUT= SRC=<src_ip> DST=<dest_ip> LEN=64 TOS=0x00 TTL=253 ID=59688 PROTO=GRE Unknown protocol
02/06/2020-11:08:45.069087: IN= OUT= SRC=<src_ip> DST=<dest_ip> LEN=64 TOS=0x00 TTL=253 ID=64274 PROTO=GRE Unknown protocol
02/06/2020-11:08:47.539530: IN= OUT= SRC=<src_ip> DST=<dest_ip> LEN=64 TOS=0x00 TTL=253 ID=3785 PROTO=GRE Unknown protocol

Actions
Copy link

Also available in: Atom PDF