Bug #6588
open
DPDK 'ips' mode doesn't pass TCP traffic
Added by Francis Trudeau 6 months ago.
Updated 5 months ago.
Description
Tested using:
Suricata version 8.0.0-dev (d005fff7b 2023-11-24)
Suricata version 7.0.3-dev (aae6beaa5 2023-11-22)
Suricata version 7.0.3-dev (c8a7204b1 2023-11-02)
In a Debian 12 Qemu VM using either e1000 or virtio NICs.
Test sensor has two detection NICs, straddling two virtual networks. Each virtual network has a VM, one acting as a client (10.1.11.1/16) and one acting as a server (10.1.12.1/16). I ran inetsim on the 'server'.
When attempting a TCP connection from client to server using any method it fails. The SYN packets from the server never make it back to the client. See attached pcaps.
Files
Related issues
1 (1 open — 0 closed)
IPS did not pass traffic with or without pass rules:
pass ip any any <> any any (msg:"IP pass"; sid:3031; rev:1;)
pass tcp any any <> any any (msg:"TCP pass"; sid:3032; rev:1;)
Hi @Francis Trudeau,
have you tested the functionality with other capture modes as well?
Can't it be possible there is a configuration issue?
Sorry, ok, I followed your comments in other tickets and I see there is some underlying issue with the setup/Suricata. Considering it works neither with AFP or with DPDK it seems like the capture modules is not the one to blame.
Lukas Sismis wrote in #note-3:
Hi @Francis Trudeau,
have you tested the functionality with other capture modes as well?
Can't it be possible there is a configuration issue?
See this related bug:
https://redmine.openinfosecfoundation.org/issues/6587
If I create a bridge and use the same config file, except with '-i br0' instead of '--dpdk', I see detections.
This is also happening with '--af-packet'
- Related to Bug #6587: DPDK 'tap' mode doesn't alert on TCP protocol rules added
Also available in: Atom
PDF