Wazuh have tcpreplay based on PF_Ring Injection method.

[fadi abusafat]

Hi, 

I would like to ask if there Wazuh VM based onto tcpreplay with PF ring injection method. 

I am looking for it due to I have very heavy pcap and I can not replay it with PF packet injection method. So, I am looking to another injection method. 

I tried to configure PF_Ring injection method but it always dropped due to Drivers issue. 

Any help please. 

Thank you so much. 

[jose antonio izquierdo lopez]

Hi Fadi, 

Did you try injecting in a dummy interface with an MTU of 65535? We were facing issues with dropping packets with smaller MTUs after the change went done it looks to work well. 

Let me know if you want more details about it. 

Thanks 

[fadi abusafat]

Hi Jose, 

Thank you so much for your replay. 

I already used it with dummy interface in tcpreplay-edit and normal tcpreplay but unfortunately with current Injection method AF Packet does not work with sophisticated pcap file that loaded with sophisticated attacks.

 Therefore, I am searching for a way to configure Tcpreplay package with PF ring injection  method. 

 I already got into PF ring documentation but it not works with tcpreplay.

 Therefore, do you have any idea how to replay massive pcap traffic ? I mean, do you know any sophisticated tool that has capabilities to replay this kind of traffic. 

[jose antonio izquierdo lopez]

Hi Fadi, 

Is there any way to have a pcap sample (by private) 

Thanks 

[fadi abusafat]

Hi Jose, 

Thank you so much. 

This is link of datasets/pcap that I used to carry out my PhD research: 


https://www.unb.ca/cic/datasets/ids-2017.html

[fadi abusafat]

Oh Sorry Jose, I published the link on here while I did not recognize you said it by private. I apologies for it. Please, could you provide me with your Email. 

My Email is: fabusa...@hotmail.com

[jose antonio izquierdo lopez]

Hi Fadid, 

No worries, I thought you were using a nonpublic PCAP source. 

How do you run tcpreplay command?  also, can you share the 'ip a' or "ifconfig" of your destination interface? 

I have something like this (did ctrl-c as you know is a full day), 

Actual: 10029 packets (2323131 bytes) sent in 140.33 seconds
Rated: 16553.9 Bps, 0.132 Mbps, 71.46 pps
Statistics for network device: owlh
 Successful packets:        10028
 Failed packets:            0
 Truncated packets:         0
 Retried packets (ENOBUFS): 0
 Retried packets (EAGAIN):  0

My Suricata and Zeek are able to analyze it properly. 

Are you changing the replay timing? 

 

Sorry if I miss something.

thanks 

[fadi abusafat]

Hi Jose. 

Seriously, I would to thank you for massive attention and help. 

Usually, I install tcpreplay with default. Then I replayed traffic as the following: 

sudo tcpreplay -i ens34 (This interface that replay traffic  ) Smaple.pcap ( name of Pcap file )

or using tcpreplay-edit

sudo tcpreplay-edit --mtu=65300 -i ens34 (This interface that replay traffic  ) Smaple.pcap ( name of Pcap file )

In my case, both situation has many dropped packet. My idea is to replay pcap without dropped packets. Current Injection method with tcpreplay is AF Packet. In this past it was PF RING and it was working amazing without loss any packet.  Therefore, I am looking for configure TCPREPLAY with PF RING but unfortunately, I could not. 

[fadi abusafat]

I do not change replay time as well as do not change anything into tcpreplay except split pcap file based on attack and non attack time. 

[jose antonio izquierdo lopez]

Hi Fadi, 

As you can see on my capture there are no dropped packets with tcpreplay. 

I can see you are using a real interface instead of a dummy interface, am I right?

This is my interface status when using tcpreplay. 

3: owlh: <BROADCAST,NOARP,UP,LOWER_UP> mtu 65535 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether fa:46:55:7c:1a:92 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::f846:55ff:fe7c:1a92/64 scope link
       valid_lft forever preferred_lft forever

Hope this helps. 

Best 

[fadi abusafat]

Hi Jose, 

Please, could send me the following:

1-  complete command that used, 

2- configuration of adapters. 

3-, Did you install tcpreplay or did you use the one is already into Wuzah ? 

4- Did you run it on Virtual Machine or Real machine ? In case Virtual could you send details of configuration due to I am working on Virtual. 

[fadi abusafat]

Jose,

Be ware, you can not replay pcap file on lo adapter, it has to replay on eth0, eth1, or ens34, ens35 or adapter like that. 

[jose antonio izquierdo lopez]

Hi Fadi, 

As shown in previous mails, Interface is a dummy interface called owlh, with MTU 65535 

The instance is an Amazon II (tested in VMware and HW systems too)

OS - Centos 6,7, 8 and Debian/ubuntu various versions. take into account that each one has its dummy interface configuration procedures.

Wazuh doesn't install any tcpreply. tcpreplay is the one provided by each distribution. your tcpreplay command looks good, just point it to the right interface.

I hope this helps to point you in the right direction to end your Ph.D. Good luck. 

Best regards, 

Jose.

[fadi abusafat]

Hi Jose, 

Thank you so much for your help. 

Right now, I configuring a new experiment with Ubuntu Server 18. I have three network adapters, one of them is connected ( ens33 )for Internet and others are internal ( ens34 and ens35). 

Please, could you help exactly how you configured including dunnmy interface MTU 65535 bytes. 

Also, what version of Tcpreplay you used ?

Sorry for that issue but seriously, I have been working on this issue and I could not figure it out. Even more, you are the only one that helps in this issue. 

I appreciate your help as well as grateful for you. 

Once server on my experiment is ready I will upload details about adapters as well as OS. In meantime, could you provide details that you already used. 

Thank you so much. 

Many Thanks Jose. 

[jose antonio izquierdo lopez]

Hi Fadi, 

this is just Debian networking configuration, 

something like this will work to configure the dummy interface:

/sbin/ip link add dummy0 type dummy

/sbin/ip link set name owlh dev dummy0

/sbin/ip link set dev owlh mtu 56536

/sbin/ip link set owlh up

after this is done, verify your interface is ready 

root@ip-172-31-33-251:/home/ubuntu# ip a list dev owlh

3: owlh: <BROADCAST,NOARP,UP,LOWER_UP> mtu 56536 qdisc noqueue state UNKNOWN group default qlen 1000

    link/ether 02:3c:72:3b:e6:9c brd ff:ff:ff:ff:ff:ff

    inet6 fe80::3c:72ff:fe3b:e69c/64 scope link

       valid_lft forever preferred_lft forever

then point your tcpreplay to the owlh interface. 

thanks and good luck 

[fadi abusafat]

Hi Jose. 

it does not works. 

I will configure it again. 

But I would like to ask you an issue, can Wazuh or Suricata catached up traffic from Dummy Interface ?


This post include error of replay traffic into dummy interface. 

[jose antonio izquierdo lopez]

Suricata:

# suricata -c /etc/suricata/suricata.yaml -i owlh