No traffic through af-packet bridge
344 views
Skip to first unread message
Nick Schumacher
Nov 29, 2017, 3:28:59 PM11/29/17
to SELKS
Hey all,
/etc/network/interfaces:
Any of that look wrong? If I can help with other file contents or command output please ask.
Trying to set up my machine to use NIC's as a sort of WAN to LAN bridge that scans everything coming into or going out of my network, and having a little trouble getting it working correctly.
Aside from Elasticsearch being yellow because of one unassigned recovery shard in .kibana everything seems to be up and running now (although also had some issues with the NICS not being in promiscuous mode and had to set that manually before suricata would startup right)
Anyway, the issue I'm running into is that suricata doesn't appear to be passing the data through to the other NIC. Not sure where I'm going wrong here, and I haven't seen anything in the suricata log although I'm not sure that's the right log to look at for this problem. Here's my af-packet section of suricata.yaml, and my /etc/network/interfaces
suricata.yaml:
af-packet:
- interface: eth0
cluster-id:99
cluster-type: cluster_flow
defrag:yes
- interface: enp1s0f0
threads:auto
defrag: yes
cluster-type: cluster_flow
cluster-id: 98
copy-mode: ips
copy-iface: enp1s0f1
buffer-size: 64535
use-mmap: yes
- interface: enp1s0f1
threads: auto
cluster-id: 97
defrag: yes
cluster-type: cluster_flow
copy-mode: ips
copy-iface: enp1s0f0
buffer-size: 64535
use-mmap: yes
-interface: default
/etc/network/interfaces:
auto lo
iface lo inetloopback
allow-hotplug eno1
iface eno1 inet static # Management interface
address 192.168.0.100
netmask 255.255.252.0
gateway 192.168.0.1
dns-nameservers 192.168.0.11 192.168.0.6
iface enp1s0f0 inet manual
pre-up ifconfig $IFACE up
post-down ifconfig $IFACE down
post-up /etc/network/if-up.d/idps-interface-tuneup_stamus
iface enp1s0f1 inet manual
pre-up ifconfig $IFACE up
post-down ifconfig $IFACE down
post-up /etc/network/if-up.d/idps-interface-tuneup_stamus
Any of that look wrong? If I can help with other file contents or command output please ask.
Thank you!!!!
Nick
Peter Manev
Nov 30, 2017, 4:23:14 AM11/30/17
to Nick Schumacher, SELKS
On Wed, Nov 29, 2017 at 9:28 PM, Nick Schumacher
<schumac...@gmail.com> wrote:
> Hey all,
>
> Trying to set up my machine to use NIC's as a sort of WAN to LAN bridge that
> scans everything coming into or going out of my network, and having a little
> trouble getting it working correctly.
>
> Aside from Elasticsearch being yellow because of one unassigned recovery
> shard in .kibana everything seems to be up and running now (although also
> had some issues with the NICS not being in promiscuous mode and had to set
> that manually before suricata would startup right)
>
How are you doing the tests exactly?
<schumac...@gmail.com> wrote:
> Hey all,
>
> Trying to set up my machine to use NIC's as a sort of WAN to LAN bridge that
> scans everything coming into or going out of my network, and having a little
> trouble getting it working correctly.
>
> Aside from Elasticsearch being yellow because of one unassigned recovery
> shard in .kibana everything seems to be up and running now (although also
> had some issues with the NICS not being in promiscuous mode and had to set
> that manually before suricata would startup right)
>
> Anyway, the issue I'm running into is that suricata doesn't appear to be
> passing the data through to the other NIC. Not sure where I'm going wrong
> here, and I haven't seen anything in the suricata log although I'm not sure
> that's the right log to look at for this problem. Here's my af-packet
> section of suricata.yaml, and my /etc/network/interfaces
>
> suricata.yaml:
> af-packet:
> - interface: eth0
> cluster-id:99
> cluster-type: cluster_flow
> defrag:yes
>
> - interface: enp1s0f0
> threads:auto
> defrag: yes
> cluster-type: cluster_flow
> cluster-id: 98
> copy-mode: ips
> copy-iface: enp1s0f1
> buffer-size: 64535
> use-mmap: yes
>
> - interface: enp1s0f1
> threads: auto
> cluster-id: 97
> defrag: yes
> cluster-type: cluster_flow
> copy-mode: ips
> copy-iface: enp1s0f0
> buffer-size: 64535
with a small value - aka 2048 for example.
> use-mmap: yes
>
> -interface: default
>
>
> /etc/network/interfaces:
> auto lo
> iface lo inetloopback
>
> allow-hotplug eno1
> iface eno1 inet static # Management interface
> address 192.168.0.100
> netmask 255.255.252.0
> gateway 192.168.0.1
> dns-nameservers 192.168.0.11 192.168.0.6
>
> iface enp1s0f0 inet manual
> pre-up ifconfig $IFACE up
> post-down ifconfig $IFACE down
> post-up /etc/network/if-up.d/idps-interface-tuneup_stamus
>
> iface enp1s0f1 inet manual
> pre-up ifconfig $IFACE up
> post-down ifconfig $IFACE down
> post-up /etc/network/if-up.d/idps-interface-tuneup_stamus
>
>
> Any of that look wrong? If I can help with other file contents or command
> output please ask.
>
> Thank you!!!!
>
> Nick
>
> --
> IRC: Let's talk about SELKS on Freenode IRC on the #SELKS channel
> Wiki: https://github.com/StamusNetworks/SELKS/wiki
> GitHub: https://github.com/StamusNetworks/SELKS
> Blog: https://www.stamus-networks.com/theblog/
> Twitter: @StamusN
> g+: Stamus Networks
> ---
> You received this message because you are subscribed to the Google Groups
> "SELKS" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to selks+un...@googlegroups.com.
> To post to this group, send email to se...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Regards,
Peter Manev
Nick Schumacher
Nov 30, 2017, 12:55:16 PM11/30/17
to SELKS
On Thursday, November 30, 2017 at 1:23:14 AM UTC-8, pevma wrote:
On Wed, Nov 29, 2017 at 9:28 PM, Nick Schumacher
<schumac...@gmail.com> wrote:
> Hey all,
>
> Trying to set up my machine to use NIC's as a sort of WAN to LAN bridge that
> scans everything coming into or going out of my network, and having a little
> trouble getting it working correctly.
>
> Aside from Elasticsearch being yellow because of one unassigned recovery
> shard in .kibana everything seems to be up and running now (although also
> had some issues with the NICS not being in promiscuous mode and had to set
> that manually before suricata would startup right)
>
How are you doing the tests exactly?
Setup was Network Switch -> SELKS (in enp1s0f0, out enp1s0f1) -> Test machine
I then opened two SSH sessions into the SELKS machine's management interface I'd set up with an IP and everything, and ran tcpdump -i on the two interfaces while trying to request a DHCP address on the test machine. I could see the DHCP requests coming in one side, but not going out the other.
> Anyway, the issue I'm running into is that suricata doesn't appear to be
> passing the data through to the other NIC. Not sure where I'm going wrong
> here, and I haven't seen anything in the suricata log although I'm not sure
> that's the right log to look at for this problem. Here's my af-packet
> section of suricata.yaml, and my /etc/network/interfaces
>
> suricata.yaml:
> af-packet:
> - interface: eth0
> cluster-id:99
> cluster-type: cluster_flow
> defrag:yes
>
Do you use the 3 interfaces - eth0 / enp1s0f0 and enp1s0f0 ?
I thought it would be cleaner that way. One standard interface with static IP, etc. to be used for management, ssh access, accessing Scirius, etc. and the other two acting as transparent bridge inspection between our firewall/router and our LAN switch.
> - interface: enp1s0f0
> threads:auto
> defrag: yes
> cluster-type: cluster_flow
> cluster-id: 98
> copy-mode: ips
> copy-iface: enp1s0f1
> buffer-size: 64535
> use-mmap: yes
>
> - interface: enp1s0f1
> threads: auto
> cluster-id: 97
> defrag: yes
> cluster-type: cluster_flow
> copy-mode: ips
> copy-iface: enp1s0f0
> buffer-size: 64535
instead of buffer-size use ring size and do a test while setting it up
with a small value - aka 2048 for example.
I actually got it working. Saw in /etc/suricata that there was also a selks4-addin.yaml file and was looking over that when I realized my main interface is listed as the default eth0 in the suricata setup, but in /etc/network/interfaces it's actually eno1. Fixed that little goof and added a few options based on the selks4 yaml file as well (tpacket-v3 - yes, ring-size - 2048, block-size - 32768) and restarted and it took off running.
> use-mmap: yes
>
> -interface: default
>
>
> /etc/network/interfaces:
> auto lo
> iface lo inetloopback
>
> allow-hotplug eno1
> iface eno1 inet static # Management interface
> address 192.168.0.100
> netmask 255.255.252.0
> gateway 192.168.0.1
> dns-nameservers 192.168.0.11 192.168.0.6
>
> iface enp1s0f0 inet manual
> pre-up ifconfig $IFACE up
> post-down ifconfig $IFACE down
> post-up /etc/network/if-up.d/idps-interface-tuneup_stamus
>
> iface enp1s0f1 inet manual
> pre-up ifconfig $IFACE up
> post-down ifconfig $IFACE down
> post-up /etc/network/if-up.d/idps-interface-tuneup_stamus
>
>
> Any of that look wrong? If I can help with other file contents or command
> output please ask.
>
Are there any errors in /var/log/suricata/suricata.log or suricata-start.log?
Nope. Fixed those when I fixed the promiscuous mode issue.
Peter Manev
Nov 30, 2017, 3:30:06 PM11/30/17
to Nick Schumacher, SELKS
On Thu, Nov 30, 2017 at 6:55 PM, Nick Schumacher
Glad you figured it out and have it working!
Peter Manev
Dec 12, 2017, 5:01:26 AM12/12/17
to Nick Schumacher, SELKS
>
> Glad you figured it out and have it working!
>
Nick - i have posted a wiki page for IPS set up based also on your
> Glad you figured it out and have it working!
>
input shared in your previous mail -
https://github.com/StamusNetworks/SELKS/wiki/Initial-Setup---Suricata-IPS
Hope it is ok!
--
Regards,
Peter Manev
Reply all
Reply to author
Forward
0 new messages