Project

General

Profile

Actions
Copy link

Bug #5871

open
JI OD

ips/af-packet: doesn't work between 2 virtio devices

Bug #5871: ips/af-packet: doesn't work between 2 virtio devices

Added by Jason Ish about 3 years ago. Updated 6 months ago.

Status:
Assigned
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
6.0.10, 7.0.0-rc1, 8.0.0
Effort:
Difficulty:
Label:

Description

The scenario is a libvirt VM with 2 network interfaces using virtio and using Suricata to bridge between them. Things like ping work, but DNS doesn't. Changing the interfaces to e1000 in virt-manager allows the Suricata to bridge to work.

As the stock Linux bridge works between 2 virtio interfaces, Suricata likely should as well.

Related issues 2 (2 open0 closed)

Related to Suricata - Bug #6588: bridge 'ips' modes don't pass TCP traffic in virtual envNewCommunity TicketActions
Related to Suricata - Bug #6587: bridge 'tap' modes don't alert on TCP protocol rules in virtual envNewCommunity TicketActions

TR Updated by Tony Robinson about 1 year ago Actions
Copy link
 #2

Hey Fellas.

I ran into this issue some time ago as well.

https://forum.suricata.io/t/unable-to-get-tcp-traffic-to-flow-between-proxmox-bridges-using-suricata-af-packet-ips-mode-bridge/4343

And immediately got the same resolution - as in, don't use the virtio virtual network devices. As of today, march 13th, 2025, this is still an issue with proxmox - Suricata (and for whatever its worth, Snort3) can't sniff packets on virtio-net interfaces.

JI Updated by Jason Ish about 1 year ago Actions
Copy link
 #3

Tony Robinson wrote in #note-2:

Hey Fellas.

I ran into this issue some time ago as well.

https://forum.suricata.io/t/unable-to-get-tcp-traffic-to-flow-between-proxmox-bridges-using-suricata-af-packet-ips-mode-bridge/4343

And immediately got the same resolution - as in, don't use the virtio virtual network devices. As of today, march 13th, 2025, this is still an issue with proxmox - Suricata (and for whatever its worth, Snort3) can't sniff packets on virtio-net interfaces.

I haven't had issues sniffing packets on virtio that I can recall. Its when it comes to IPS mode, and the re-injecting of the packet with AF_PACKET IPS where I run into issues.

Are you doing IPS? Or just IDS sniffing?

PA Updated by Philippe Antoine 8 months ago Actions
Copy link
 #4

  • Status changed from New to Feedback

Is this still a problem in 8 ?

JI Updated by Jason Ish 8 months ago Actions
Copy link
 #5

Philippe Antoine wrote in #note-4:

Is this still a problem in 8 ?

Yes, no work has been done to address this.

JI Updated by Jason Ish 8 months ago Actions
Copy link
 #6

  • Affected Versions 8.0.0 added

PA Updated by Philippe Antoine 8 months ago Actions
Copy link
 #7

  • Status changed from Feedback to Assigned

JI Updated by Jason Ish 6 months ago Actions
Copy link
 #8

  • Related to Bug #6588: bridge 'ips' modes don't pass TCP traffic in virtual env added

JI Updated by Jason Ish 6 months ago Actions
Copy link
 #9

  • Related to Bug #6587: bridge 'tap' modes don't alert on TCP protocol rules in virtual env added

JI Updated by Jason Ish 6 months ago Actions
Copy link
 #10

Tony Robinson wrote in #note-2:

Hey Fellas.

I ran into this issue some time ago as well.

https://forum.suricata.io/t/unable-to-get-tcp-traffic-to-flow-between-proxmox-bridges-using-suricata-af-packet-ips-mode-bridge/4343

And immediately got the same resolution - as in, don't use the virtio virtual network devices. As of today, march 13th, 2025, this is still an issue with proxmox - Suricata (and for whatever its worth, Snort3) can't sniff packets on virtio-net interfaces.

@da_667 Has e1000 continued to work for you though?

Actions
Copy link

Also available in: PDF Atom