tcpreplay vs. suricata -r
981 views
Skip to first unread message
emre....@btpsec.com
Apr 21, 2016, 3:42:07 AM4/21/16
to SELKS
Hi everyone,
I am able to read pcap file with the following command and signature alerts drop into fast.log and other outputs properly and SELKS dashboards are populated without problem.
suricata -c /etc/suricata/suricata.yaml -r
traffic.pcap -v
I want to replay pcap traffic with tcpreplay instead of reading pcap with suricata -r
Just shown in this document https://resources.sei.cmu.edu/asset_files/Presentation/2016_017_001_449890.pdf
tcpreplay -i eth0 traffic.pcap
But in this case my output like the following
sending out eth0
processing file: traffic.pcap
Actual: 591 packets (516575 bytes) sent in 4.28 seconds. Rated: 120695.1 bps, 0.92 Mbps, 138.08 pps
Statistics for network device: eth0
Attempted packets: 591
Successful packets: 591
Failed packets: 0
Retried packets (ENOBUFS): 0
Retried packets (EAGAIN): 0
There is no alerts in fast.log and others.
Bests,
Peter Manev
Apr 24, 2016, 8:37:18 AM4/24/16
to emre....@btpsec.com, SELKS
(replay is actually live traffic in that respect however it is just
that pcap). You should start with trimming down the flow timeouts in
the suicata.yaml section (that is just a start), make sure as well
your home and ext networks are correctly in place and all your NIC
offloading is disabled.
You can also use unix-socket as an alternative to "-r" -
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Interacting_via_Unix_Socket
that way you can avoid repeatedly loading the rules for every run.
> Bests,
>
> --
> IRC: Let's talk about SELKS on Freenode IRC on the #SELKS channel
> Wiki: https://github.com/StamusNetworks/SELKS/wiki
> GitHub: https://github.com/StamusNetworks/SELKS
> Blog: https://www.stamus-networks.com/theblog/
> Twitter: @StamusN
> g+: Stamus Networks
> ---
> You received this message because you are subscribed to the Google Groups
> "SELKS" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to selks+un...@googlegroups.com.
> To post to this group, send email to se...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Regards,
Peter Manev
emre....@btpsec.com
May 9, 2016, 10:39:46 AM5/9/16
to SELKS, emre....@btpsec.com
Running suricata in unix-socket runmode just fine for now.
sudo nano /etc/suricata/suricata.yaml
runmode:single
sudo service suricata stop
sudo suricata --unix-socket
suricatasc -c "pcap-file /home/selks-user/mypcaps/real.pcap /var/log/suricata"
This works.
However, I am not able to run tcpreplay.
This is my testing environment.
eth0 - 192.168.213.8 - 00:0c:29:53:2b:fa (eth0 is in promiscious mode)
eth1 - 192.168.213.6 - 00:0c:29:53:2b:04
--rewrite
tcprewrite --infile=real.pcap --outfile=tmp1.pcap --dstipmap=0.0.0.0/0:192.168.1.8 --enet-dmac=00:0c:29:53:2b:fa
tcprewrite --infile=tmp1.pcap --outfile=tmp2.pcap --srcipmap=0.0.0.0/0:192.168.1.6 --enet-smac=00:0c:29:53:2b:04
--update the checksum of every packet
tcprewrite --infile=tmp2.pcap --outfile=fake.pcap --fixcsum
--replay
tcpreplay -M2 --intf1=eth0 fake.pcap
This does not work.
My second approach
tcpprep --auto=bridge --pcap=real.pcap --cachefile=real.cache
tcpreplay -M2 --cachefile=real.cache --intf1=eth0 --intf2=eth1 real.pcap
Again, this does not work.
Thank you,
Peter Manev
May 10, 2016, 2:46:59 AM5/10/16
to emre....@btpsec.com, SELKS
On Mon, May 9, 2016 at 5:39 PM, <emre....@btpsec.com> wrote:
> Running suricata in unix-socket runmode just fine for now.
>
> sudo nano /etc/suricata/suricata.yaml
> runmode:single
> sudo service suricata stop
> sudo suricata --unix-socket
>
> suricatasc -c "pcap-file /home/selks-user/mypcaps/real.pcap
> /var/log/suricata"
>
> This works.
Unix-socket mode is for reading (sending rather) pcaps to the suricata
> Running suricata in unix-socket runmode just fine for now.
>
> sudo nano /etc/suricata/suricata.yaml
> runmode:single
> sudo service suricata stop
> sudo suricata --unix-socket
>
> suricatasc -c "pcap-file /home/selks-user/mypcaps/real.pcap
> /var/log/suricata"
>
> This works.
unix socket to be processed by suricata.
The difference between the read (-r) option for reading pcaps with
suricata and unix-socket is that with unix socket you can just "send"
pcaps to be processed by suricata as opposed to the (-r) option where
Suricata needs to start and load all the rules , read the pcap and
then exit - on a per pcap basis/for every pcap.
With unix-socket Suricata loads the rules only once and then just
process each send pcap.
In unix socket (or -r as well ) - you would not be able to use
tcpreplay. For tcpreplay to work as expected suricata need to be
started - listening/sniffing on the interface that tcpreplay is going
to replay the traffic to.
Thanks
Reply all
Reply to author
Forward
0 new messages