Project

General

Profile

Actions
Copy link

Bug #6588

open
FT CT

bridge 'ips' modes don't pass TCP traffic in virtual env

Bug #6588: bridge 'ips' modes don't pass TCP traffic in virtual env

Added by Francis Trudeau over 2 years ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Assignee:
Community Ticket
Target version:
TBD
Affected Versions:
Effort:
Difficulty:
Label:

Description

Tested using:

Suricata version 8.0.0-dev (d005fff7b 2023-11-24)
Suricata version 7.0.3-dev (aae6beaa5 2023-11-22)
Suricata version 7.0.3-dev (c8a7204b1 2023-11-02)

In a Debian 12 Qemu VM using either e1000 or virtio NICs.

Test sensor has two detection NICs, straddling two virtual networks. Each virtual network has a VM, one acting as a client (10.1.11.1/16) and one acting as a server (10.1.12.1/16). I ran inetsim on the 'server'.

When attempting a TCP connection from client to server using any method it fails. The SYN packets from the server never make it back to the client. See attached pcaps.

Files

Download all files
manual_dpdk_ips_suricata.sh (908 Bytes) manual_dpdk_ips_suricata.sh Francis Trudeau, 11/29/2023 08:09 PM
10.1.11.1_client_ips_mode.pcap (474 Bytes) 10.1.11.1_client_ips_mode.pcap Francis Trudeau, 11/29/2023 08:10 PM
10.1.12.1_server_ips_mode.pcap (1.17 KB) 10.1.12.1_server_ips_mode.pcap Francis Trudeau, 11/29/2023 08:10 PM
suricata.dpdk.ips.yaml (83.3 KB) suricata.dpdk.ips.yaml Francis Trudeau, 11/29/2023 08:12 PM

Related issues 2 (2 open0 closed)

Related to Suricata - Bug #6587: bridge 'tap' modes don't alert on TCP protocol rules in virtual envNewCommunity TicketActions
Related to Suricata - Bug #5871: ips/af-packet: doesn't work between 2 virtio devicesAssignedOISF DevActions
Actions
Copy link

Also available in: PDF Atom