Bug #6587: bridge 'tap' modes don't alert on TCP protocol rules in virtual env - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #6587

open

bridge 'tap' modes don't alert on TCP protocol rules in virtual env

Added by Francis Trudeau almost 2 years ago. Updated about 2 hours ago.

Status:

New

Priority:

Normal

Assignee:

Community Ticket

Target version:

TBD

Affected Versions:

Effort:

Difficulty:

Label:

Description

Tested using:

Suricata version 8.0.0-dev (d005fff7b 2023-11-24)
Suricata version 7.0.3-dev (aae6beaa5 2023-11-22)
Suricata version 7.0.3-dev (c8a7204b1 2023-11-02)

In a Debian 12 Qemu VM using either e1000 or virtio NICs.

Test sensor has two detection NICs, straddling two virtual networks. Each virtual network has a VM, one acting as a client (10.1.11.1/16) and one acting as a server (10.1.12.1/16). I ran inetsim on the 'server'.

I tried detecting SMTP, HTTP, DNS and FTP using the attached local.rules

I generated traffic with attached generate_detections.sh

When running Suricata using attached manual_dpdk_suricata.sh, I get no TCP protocol detections. See attached fast.dpdk.log.

When running Suricata using attached manual_bridge_suricata.sh, I get the expected detections. See attached fast.br0.log

Files

Download all files

suricata.dpdk.tap.yaml (83.3 KB) suricata.dpdk.tap.yaml		Francis Trudeau, 11/29/2023 07:21 PM
local.rules (787 Bytes) local.rules		Francis Trudeau, 11/29/2023 07:21 PM
suricata.dpdk.tap.log (23.6 KB) suricata.dpdk.tap.log		Francis Trudeau, 11/29/2023 07:22 PM
manual_dpdk_suricata.sh (908 Bytes) manual_dpdk_suricata.sh		Francis Trudeau, 11/29/2023 07:31 PM
generate_detections.sh (241 Bytes) generate_detections.sh		Francis Trudeau, 11/29/2023 07:42 PM
manual_bridge_suricata.sh (681 Bytes) manual_bridge_suricata.sh		Francis Trudeau, 11/29/2023 07:51 PM
fast.dpdk.log (2.69 KB) fast.dpdk.log		Francis Trudeau, 11/29/2023 07:54 PM
fast.br0.log (6.09 KB) fast.br0.log		Francis Trudeau, 11/29/2023 07:55 PM

Related issues 2 (2 open — 0 closed)

Actions

Copy link

Updated by Jason Ish almost 2 years ago

Perhaps related, https://redmine.openinfosecfoundation.org/issues/5871. I've had nothing but trouble testing AF_PACKET and NFQ IPS modes in KVM and VirtualBox.

Actions

Copy link

Updated by Francis Trudeau almost 2 years ago

Jason Ish wrote in #note-1:

Perhaps related, https://redmine.openinfosecfoundation.org/issues/5871. I've had nothing but trouble testing AF_PACKET and NFQ IPS modes in KVM and VirtualBox.

It's looking like that.

I'm getting the exact same behavior using af-packet tap and IPS mode. IPS blocks all TCP traffic and tap doesn't alert on any layer 4 rules over TCP but does pass the traffic.

I also sniffed on the 'server' interface of the af-packet IPS setup. The SA packets are showing up at the interface so it's Suricata that's not letting them through. I wasn't able to verify that using DPDK.

https://redmine.openinfosecfoundation.org/issues/6588

Actions

Copy link

Updated by Victor Julien almost 2 years ago

Related to Bug #6588: bridge 'ips' modes don't pass TCP traffic in virtual env added

Actions

Copy link

Updated by Philippe Antoine 4 months ago

Assignee changed from OISF Dev to Lukas Sismis

Actions

Copy link

Updated by Victor Julien 3 days ago

Subject changed from DPDK 'tap' mode doesn't alert on TCP protocol rules to bridge 'tap' modes don't alert on TCP protocol rules in virtual env

These modes are generally functioning well on real hw, so it's unclear what is different in VM setups.

Actions

Copy link