Project

General

Profile

Actions

Bug #6587

open

DPDK 'tap' mode doesn't alert on TCP protocol rules

Added by Francis Trudeau 6 months ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Tested using:

Suricata version 8.0.0-dev (d005fff7b 2023-11-24)
Suricata version 7.0.3-dev (aae6beaa5 2023-11-22)
Suricata version 7.0.3-dev (c8a7204b1 2023-11-02)

In a Debian 12 Qemu VM using either e1000 or virtio NICs.

Test sensor has two detection NICs, straddling two virtual networks. Each virtual network has a VM, one acting as a client (10.1.11.1/16) and one acting as a server (10.1.12.1/16). I ran inetsim on the 'server'.

I tried detecting SMTP, HTTP, DNS and FTP using the attached local.rules

I generated traffic with attached generate_detections.sh

When running Suricata using attached manual_dpdk_suricata.sh, I get no TCP protocol detections. See attached fast.dpdk.log.

When running Suricata using attached manual_bridge_suricata.sh, I get the expected detections. See attached fast.br0.log


Files

suricata.dpdk.tap.yaml (83.3 KB) suricata.dpdk.tap.yaml Francis Trudeau, 11/29/2023 07:21 PM
local.rules (787 Bytes) local.rules Francis Trudeau, 11/29/2023 07:21 PM
suricata.dpdk.tap.log (23.6 KB) suricata.dpdk.tap.log Francis Trudeau, 11/29/2023 07:22 PM
manual_dpdk_suricata.sh (908 Bytes) manual_dpdk_suricata.sh Francis Trudeau, 11/29/2023 07:31 PM
generate_detections.sh (241 Bytes) generate_detections.sh Francis Trudeau, 11/29/2023 07:42 PM
manual_bridge_suricata.sh (681 Bytes) manual_bridge_suricata.sh Francis Trudeau, 11/29/2023 07:51 PM
fast.dpdk.log (2.69 KB) fast.dpdk.log Francis Trudeau, 11/29/2023 07:54 PM
fast.br0.log (6.09 KB) fast.br0.log Francis Trudeau, 11/29/2023 07:55 PM

Related issues 1 (1 open0 closed)

Related to Suricata - Bug #6588: DPDK 'ips' mode doesn't pass TCP trafficNewOISF DevActions
Actions #1

Updated by Jason Ish 6 months ago

Perhaps related, https://redmine.openinfosecfoundation.org/issues/5871. I've had nothing but trouble testing AF_PACKET and NFQ IPS modes in KVM and VirtualBox.

Actions #2

Updated by Francis Trudeau 6 months ago

Jason Ish wrote in #note-1:

Perhaps related, https://redmine.openinfosecfoundation.org/issues/5871. I've had nothing but trouble testing AF_PACKET and NFQ IPS modes in KVM and VirtualBox.

It's looking like that.

I'm getting the exact same behavior using af-packet tap and IPS mode. IPS blocks all TCP traffic and tap doesn't alert on any layer 4 rules over TCP but does pass the traffic.

I also sniffed on the 'server' interface of the af-packet IPS setup. The SA packets are showing up at the interface so it's Suricata that's not letting them through. I wasn't able to verify that using DPDK.

related:

https://redmine.openinfosecfoundation.org/issues/6588

Actions #3

Updated by Victor Julien 6 months ago

  • Related to Bug #6588: DPDK 'ips' mode doesn't pass TCP traffic added
Actions

Also available in: Atom PDF