Bug #6588
openDPDK 'ips' mode doesn't pass TCP traffic
Description
Tested using:
Suricata version 8.0.0-dev (d005fff7b 2023-11-24)
Suricata version 7.0.3-dev (aae6beaa5 2023-11-22)
Suricata version 7.0.3-dev (c8a7204b1 2023-11-02)
In a Debian 12 Qemu VM using either e1000 or virtio NICs.
Test sensor has two detection NICs, straddling two virtual networks. Each virtual network has a VM, one acting as a client (10.1.11.1/16) and one acting as a server (10.1.12.1/16). I ran inetsim on the 'server'.
When attempting a TCP connection from client to server using any method it fails. The SYN packets from the server never make it back to the client. See attached pcaps.
Files
Updated by Francis Trudeau about 1 year ago
IPS did not pass traffic with or without pass rules:
pass ip any any <> any any (msg:"IP pass"; sid:3031; rev:1;)
pass tcp any any <> any any (msg:"TCP pass"; sid:3032; rev:1;)
Updated by Francis Trudeau about 1 year ago
related: https://redmine.openinfosecfoundation.org/issues/6587
As mentioned in the other bug, I am finding the same behavior using af-packet in tap and IPS mode.
Updated by Lukas Sismis about 1 year ago
Hi @Francis Trudeau,
have you tested the functionality with other capture modes as well?
Can't it be possible there is a configuration issue?
Sorry, ok, I followed your comments in other tickets and I see there is some underlying issue with the setup/Suricata. Considering it works neither with AFP or with DPDK it seems like the capture modules is not the one to blame.
Updated by Francis Trudeau about 1 year ago
Lukas Sismis wrote in #note-3:
Hi @Francis Trudeau,
have you tested the functionality with other capture modes as well?
Can't it be possible there is a configuration issue?
See this related bug:
https://redmine.openinfosecfoundation.org/issues/6587
If I create a bridge and use the same config file, except with '-i br0' instead of '--dpdk', I see detections.
This is also happening with '--af-packet'
Updated by Victor Julien about 1 year ago
- Related to Bug #6587: DPDK 'tap' mode doesn't alert on TCP protocol rules added