Bug #5871
open
ips/af-packet: doesn't work between 2 virtio devices
Added by Jason Ish about 2 years ago.
Updated 19 days ago.
Description
The scenario is a libvirt VM with 2 network interfaces using virtio and using Suricata to bridge between them. Things like ping work, but DNS doesn't. Changing the interfaces to e1000 in virt-manager allows the Suricata to bridge to work.
As the stock Linux bridge works between 2 virtio interfaces, Suricata likely should as well.
Tony Robinson wrote in #note-2:
Hey Fellas.
I ran into this issue some time ago as well.
https://forum.suricata.io/t/unable-to-get-tcp-traffic-to-flow-between-proxmox-bridges-using-suricata-af-packet-ips-mode-bridge/4343
And immediately got the same resolution - as in, don't use the virtio virtual network devices. As of today, march 13th, 2025, this is still an issue with proxmox - Suricata (and for whatever its worth, Snort3) can't sniff packets on virtio-net interfaces.
I haven't had issues sniffing packets on virtio that I can recall. Its when it comes to IPS mode, and the re-injecting of the packet with AF_PACKET IPS where I run into issues.
Are you doing IPS? Or just IDS sniffing?
Also available in: Atom
PDF