Project

General

Profile

Actions
Copy link

Bug #5871

open

ips/af-packet: doesn't work between 2 virtio devices

Added by Jason Ish about 2 years ago. Updated 15 days ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
6.0.10, 7.0.0-rc1
Effort:
Difficulty:
Label:

Description

The scenario is a libvirt VM with 2 network interfaces using virtio and using Suricata to bridge between them. Things like ping work, but DNS doesn't. Changing the interfaces to e1000 in virt-manager allows the Suricata to bridge to work.

As the stock Linux bridge works between 2 virtio interfaces, Suricata likely should as well.

Actions
Copy link
 #2

Updated by Tony Robinson 15 days ago

Hey Fellas.

I ran into this issue some time ago as well.

https://forum.suricata.io/t/unable-to-get-tcp-traffic-to-flow-between-proxmox-bridges-using-suricata-af-packet-ips-mode-bridge/4343

And immediately got the same resolution - as in, don't use the virtio virtual network devices. As of today, march 13th, 2025, this is still an issue with proxmox - Suricata (and for whatever its worth, Snort3) can't sniff packets on virtio-net interfaces.

Actions
Copy link
 #3

Updated by Jason Ish 15 days ago

Tony Robinson wrote in #note-2:

Hey Fellas.

I ran into this issue some time ago as well.

https://forum.suricata.io/t/unable-to-get-tcp-traffic-to-flow-between-proxmox-bridges-using-suricata-af-packet-ips-mode-bridge/4343

And immediately got the same resolution - as in, don't use the virtio virtual network devices. As of today, march 13th, 2025, this is still an issue with proxmox - Suricata (and for whatever its worth, Snort3) can't sniff packets on virtio-net interfaces.

I haven't had issues sniffing packets on virtio that I can recall. Its when it comes to IPS mode, and the re-injecting of the packet with AF_PACKET IPS where I run into issues.

Are you doing IPS? Or just IDS sniffing?

Actions
Copy link

Also available in: Atom PDF