Bug #5871
openips/af-packet: doesn't work between 2 virtio devices
Description
The scenario is a libvirt VM with 2 network interfaces using virtio and using Suricata to bridge between them. Things like ping work, but DNS doesn't. Changing the interfaces to e1000 in virt-manager allows the Suricata to bridge to work.
As the stock Linux bridge works between 2 virtio interfaces, Suricata likely should as well.
Updated by Jason Ish about 2 years ago
So a known issue, from our forums at least: https://forum.suricata.io/t/ip-packet-handling-issues-in-virtio-net-on-certain-os-kernel-versions-on-kvm-vm/2688
Updated by Tony Robinson about 1 month ago
Hey Fellas.
I ran into this issue some time ago as well.
And immediately got the same resolution - as in, don't use the virtio virtual network devices. As of today, march 13th, 2025, this is still an issue with proxmox - Suricata (and for whatever its worth, Snort3) can't sniff packets on virtio-net interfaces.
Updated by Jason Ish about 1 month ago
Tony Robinson wrote in #note-2:
Hey Fellas.
I ran into this issue some time ago as well.
And immediately got the same resolution - as in, don't use the virtio virtual network devices. As of today, march 13th, 2025, this is still an issue with proxmox - Suricata (and for whatever its worth, Snort3) can't sniff packets on virtio-net interfaces.
I haven't had issues sniffing packets on virtio that I can recall. Its when it comes to IPS mode, and the re-injecting of the packet with AF_PACKET IPS where I run into issues.
Are you doing IPS? Or just IDS sniffing?