Project

General

Profile

Actions
Copy link

Bug #6588

open

DPDK 'ips' mode doesn't pass TCP traffic

Added by Francis Trudeau 5 months ago. Updated 5 months ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
Effort:
Difficulty:
Label:

Description

Tested using:

Suricata version 8.0.0-dev (d005fff7b 2023-11-24)
Suricata version 7.0.3-dev (aae6beaa5 2023-11-22)
Suricata version 7.0.3-dev (c8a7204b1 2023-11-02)

In a Debian 12 Qemu VM using either e1000 or virtio NICs.

Test sensor has two detection NICs, straddling two virtual networks. Each virtual network has a VM, one acting as a client (10.1.11.1/16) and one acting as a server (10.1.12.1/16). I ran inetsim on the 'server'.

When attempting a TCP connection from client to server using any method it fails. The SYN packets from the server never make it back to the client. See attached pcaps.

Files

Download all files
manual_dpdk_ips_suricata.sh (908 Bytes) manual_dpdk_ips_suricata.sh Francis Trudeau, 11/29/2023 08:09 PM
10.1.11.1_client_ips_mode.pcap (474 Bytes) 10.1.11.1_client_ips_mode.pcap Francis Trudeau, 11/29/2023 08:10 PM
10.1.12.1_server_ips_mode.pcap (1.17 KB) 10.1.12.1_server_ips_mode.pcap Francis Trudeau, 11/29/2023 08:10 PM
suricata.dpdk.ips.yaml (83.3 KB) suricata.dpdk.ips.yaml Francis Trudeau, 11/29/2023 08:12 PM

Related issues 1 (1 open0 closed)

Related to Suricata - Bug #6587: DPDK 'tap' mode doesn't alert on TCP protocol rulesNewOISF DevActions
Actions
Copy link
 #1

Updated by Francis Trudeau 5 months ago

IPS did not pass traffic with or without pass rules:

pass ip any any <> any any (msg:"IP pass"; sid:3031; rev:1;)

pass tcp any any <> any any (msg:"TCP pass"; sid:3032; rev:1;)

Actions
Copy link
 #2

Updated by Francis Trudeau 5 months ago

related: https://redmine.openinfosecfoundation.org/issues/6587

As mentioned in the other bug, I am finding the same behavior using af-packet in tap and IPS mode.

Actions
Copy link
 #3

Updated by Lukas Sismis 5 months ago

Hi @Francis Trudeau,

have you tested the functionality with other capture modes as well?
Can't it be possible there is a configuration issue?

Sorry, ok, I followed your comments in other tickets and I see there is some underlying issue with the setup/Suricata. Considering it works neither with AFP or with DPDK it seems like the capture modules is not the one to blame.

Actions
Copy link
 #4

Updated by Francis Trudeau 5 months ago

Lukas Sismis wrote in #note-3:

Hi @Francis Trudeau,

have you tested the functionality with other capture modes as well?
Can't it be possible there is a configuration issue?

See this related bug:

https://redmine.openinfosecfoundation.org/issues/6587

If I create a bridge and use the same config file, except with '-i br0' instead of '--dpdk', I see detections.

This is also happening with '--af-packet'

Actions
Copy link
 #5

Updated by Victor Julien 5 months ago

  • Related to Bug #6587: DPDK 'tap' mode doesn't alert on TCP protocol rules added
Actions
Copy link

Also available in: Atom PDF