Suricata 1.4.6 package should now install and run on 2.2 – testers welcomed

bmeeks

@mais_um:

Hi

I'm new in this kind of package, but for now works fine. I will change some settings and if any go wrong i'll post back.

Version:
2.2-ALPHA (amd64)
built on Wed May 21 09:42:11 CDT 2014

To install remember to enable Do NOT check package signature in System: Advanced: Miscellaneous

Thanks

Thank you for the report.  There are several threads in the PACKAGES forum related to Suricata if you want to try out all the features.

Bill

salida

@bmeeks:

I welcome any input from other testers.

Bill

I have just installed suricata on

2.2-ALPHA (i386)
built on Wed May 21 00:31:15 CDT 2014 

i hope this guide https://forum.pfsense.org/index.php/topic,73353.0.html?PHPSESSID=0719ebf82ce96c7419052150defe9179  is good to get me started :)

edit  seems to be working fine, it will get me some time to learn how to correctly read the logs (i have too many SURICATA ICMPv6 unknown type maybe i should suppress them )

Raul Ramos

Hi

Some testing.

In general don't work very good because i have a pppoe connection, i read that there are a bug in this (is a no go for me), and it fills my /var RAM partition. 82Mb in suricata.log in the interface pppoe and in ppp (4G connection) have a suricata.log with 12Mb. First line of the logs below.

pppoe:

23/5/2014 -- 01:16:27 - <info>-- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
23/5/2014 -- 01:16:27 - <info>-- preallocated 65535 defrag trackers of size 112
23/5/2014 -- 01:16:27 - <info>-- defrag memory usage: 8912784 bytes, maximum: 33554432
23/5/2014 -- 01:16:27 - <info>-- AutoFP mode using "Active Packets" flow load balancer
23/5/2014 -- 01:16:27 - <info>-- preallocated 1024 packets. Total memory 4294656
23/5/2014 -- 01:16:27 - <info>-- allocated 98304 bytes of memory for the host hash... 4096 buckets of size 24
23/5/2014 -- 01:16:27 - <info>-- preallocated 1000 hosts of size 88
23/5/2014 -- 01:16:27 - <info>-- host memory usage: 186304 bytes, maximum: 16777216
23/5/2014 -- 01:16:27 - <info>-- allocated 1572864 bytes of memory for the flow hash... 65536 buckets of size 24
23/5/2014 -- 01:16:27 - <info>-- preallocated 10000 flows of size 208
23/5/2014 -- 01:16:27 - <info>-- flow memory usage: 3652864 bytes, maximum: 33554432
23/5/2014 -- 01:16:27 - <info>-- IP reputation disabled
23/5/2014 -- 01:16:27 - <info>-- Added "39" classification types from the classification file
23/5/2014 -- 01:16:27 - <info>-- Added "20" reference types from the reference.config file
23/5/2014 -- 01:16:27 - <info>-- using magic-file /usr/share/misc/magic
23/5/2014 -- 01:16:27 - <info>-- Delayed detect disabled
23/5/2014 -- 01:16:27 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http.
23/5/2014 -- 01:16:27 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX appendChild multiple parent nodes stack corruption attempt"; flow:to_server,established; file_data; content:"appendChild"; content:"setUserData"; fast_pattern:only; pcre:"/\x2esetUserdata\x28.*?\x2eappendchild\x28/si"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:cve,2011-2378; classtype:attempted-user; sid:25233; rev:3;)" from file /usr/pbi/suricata-amd64/local/etc/suricata/suricata_50926_pppoe0/rules/suricata.rules at line 178
23/5/2014 -- 01:16:27 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http.
23/5/2014 -- 01:16:27 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox iframe and xul element reload crash attempt"; flow:to_server,established; file_data; content:"document.createElement|28 27|iframe|27 29|"; fast_pattern:only; content:"<frame"; content:".xul";="" content:".contentdocument.location.reload|28="" 29|";="" metadata:policy="" balanced-ips="" drop,="" policy="" connectivity-ips="" security-ips="" service="" smtp;="" reference:cve,2011-2982;="" classtype:attempted-user;="" sid:25228;="" rev:4;)"="" from="" file="" usr="" pbi="" suricata-amd64="" local="" etc="" suricata="" suricata_50926_pppoe0="" rules="" suricata.rules="" at="" line="" 180<br="">23/5/2014 -- 01:16:27 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http.</error></frame";></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> 

The last line repeats a ton of times.

ppp:

23/5/2014 -- 00:39:37 - <info>-- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
23/5/2014 -- 00:39:37 - <info>-- preallocated 65535 defrag trackers of size 112
23/5/2014 -- 00:39:37 - <info>-- defrag memory usage: 8912784 bytes, maximum: 33554432
23/5/2014 -- 00:39:37 - <info>-- AutoFP mode using "Active Packets" flow load balancer
23/5/2014 -- 00:39:37 - <info>-- preallocated 1024 packets. Total memory 4294656
23/5/2014 -- 00:39:37 - <info>-- allocated 98304 bytes of memory for the host hash... 4096 buckets of size 24
23/5/2014 -- 00:39:37 - <info>-- preallocated 1000 hosts of size 88
23/5/2014 -- 00:39:37 - <info>-- host memory usage: 186304 bytes, maximum: 16777216
23/5/2014 -- 00:39:37 - <info>-- allocated 1572864 bytes of memory for the flow hash... 65536 buckets of size 24
23/5/2014 -- 00:39:37 - <info>-- preallocated 10000 flows of size 208
23/5/2014 -- 00:39:37 - <info>-- flow memory usage: 3652864 bytes, maximum: 33554432
23/5/2014 -- 00:39:37 - <info>-- IP reputation disabled
23/5/2014 -- 00:39:37 - <info>-- Added "39" classification types from the classification file
23/5/2014 -- 00:39:37 - <info>-- Added "20" reference types from the reference.config file
23/5/2014 -- 00:39:37 - <info>-- using magic-file /usr/share/misc/magic
23/5/2014 -- 00:39:37 - <info>-- Delayed detect disabled
23/5/2014 -- 00:39:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http.
23/5/2014 -- 00:39:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX appendChild multiple parent nodes stack corruption attempt"; flow:to_server,established; file_data; content:"appendChild"; content:"setUserData"; fast_pattern:only; pcre:"/\x2esetUserdata\x28.*?\x2eappendchild\x28/si"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:cve,2011-2378; classtype:attempted-user; sid:25233; rev:3;)" from file /usr/pbi/suricata-amd64/local/etc/suricata/suricata_48439_ppp1/rules/suricata.rules at line 178
23/5/2014 -- 00:39:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http.
23/5/2014 -- 00:39:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox iframe and xul element reload crash attempt"; flow:to_server,established; file_data; content:"document.createElement|28 27|iframe|27 29|"; fast_pattern:only; content:"<frame"; content:".xul";="" content:".contentdocument.location.reload|28="" 29|";="" metadata:policy="" balanced-ips="" drop,="" policy="" connectivity-ips="" security-ips="" service="" smtp;="" reference:cve,2011-2982;="" classtype:attempted-user;="" sid:25228;="" rev:4;)"="" from="" file="" usr="" pbi="" suricata-amd64="" local="" etc="" suricata="" suricata_48439_ppp1="" rules="" suricata.rules="" at="" line="" 180<br="">23/5/2014 -- 00:39:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http.
23/5/2014 -- 00:39:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox IDB use-after-free attempt"; flow:established,to_server; file_data; content:"IDBKeyRange"; pcre:"/^\x2e(only|lowerBound|upperBound|bound)\x28.*?\x29.*?\x2e(lower|upper|lowerOpen|upperOpen)/Rsmi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0469; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=738985; classtype:attempted-user; sid:24574; rev:3;)" from file /usr/pbi/suricata-amd64/local/etc/suricata/suricata_48439_ppp1/rules/suricata.rules at line 183
23/5/2014 -- 00:39:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http.
23/5/2014 -- 00:39:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox IDB use-after-free attempt"; flow:established,to_server; file_data; content:"IDBKeyRange.lowerBound("; content:".upper"; within:20; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0469; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=738985; classtype:attempted-user; sid:24573; rev:3;)" from file /usr/pbi/suricata-amd64/local/etc/suricata/suricata_48439_ppp1/rules/suricata.rules at line 184
23/5/2014 -- 00:39:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http.</error></error></error></error></error></frame";></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> 

I can't enable Barnyard2 with MySQL (MariaDB 10) using root user and give pfsense authorization. Don't know why. Need populate Banyard2 database with Structure?

In Log Mgmt i can't save if i don't enable Auto Log Management, error: "The value for 'Unified2 Log Limit' must be an integer value greater than zero." shows a grayed out default integer value  (32) i change to 16 Mb but need to enable Auto Log Management to change and save.

I have to enable interfaces after reboot system, they start disable, maybe because are (ppp)oe? my hyper-v teste machine restart with interface enable (WAN - DHCPv4.)

Thanks

bmeeks

@mais_um:

Hi

Some testing.

In general don't work very good because i have a pppoe connection, i read that there are a bug in this (is a no go for me), and it fills my /var RAM partition. 82Mb in suricata.log in the interface pppoe and in ppp (4G connection) have a suricata.log with 12Mb. First line of the logs below.

pppoe:

23/5/2014 -- 01:16:27 - <info>-- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
23/5/2014 -- 01:16:27 - <info>-- preallocated 65535 defrag trackers of size 112
23/5/2014 -- 01:16:27 - <info>-- defrag memory usage: 8912784 bytes, maximum: 33554432
23/5/2014 -- 01:16:27 - <info>-- AutoFP mode using "Active Packets" flow load balancer
23/5/2014 -- 01:16:27 - <info>-- preallocated 1024 packets. Total memory 4294656
23/5/2014 -- 01:16:27 - <info>-- allocated 98304 bytes of memory for the host hash... 4096 buckets of size 24
23/5/2014 -- 01:16:27 - <info>-- preallocated 1000 hosts of size 88
23/5/2014 -- 01:16:27 - <info>-- host memory usage: 186304 bytes, maximum: 16777216
23/5/2014 -- 01:16:27 - <info>-- allocated 1572864 bytes of memory for the flow hash... 65536 buckets of size 24
23/5/2014 -- 01:16:27 - <info>-- preallocated 10000 flows of size 208
23/5/2014 -- 01:16:27 - <info>-- flow memory usage: 3652864 bytes, maximum: 33554432
23/5/2014 -- 01:16:27 - <info>-- IP reputation disabled
23/5/2014 -- 01:16:27 - <info>-- Added "39" classification types from the classification file
23/5/2014 -- 01:16:27 - <info>-- Added "20" reference types from the reference.config file
23/5/2014 -- 01:16:27 - <info>-- using magic-file /usr/share/misc/magic
23/5/2014 -- 01:16:27 - <info>-- Delayed detect disabled
23/5/2014 -- 01:16:27 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http.
23/5/2014 -- 01:16:27 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX appendChild multiple parent nodes stack corruption attempt"; flow:to_server,established; file_data; content:"appendChild"; content:"setUserData"; fast_pattern:only; pcre:"/\x2esetUserdata\x28.*?\x2eappendchild\x28/si"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:cve,2011-2378; classtype:attempted-user; sid:25233; rev:3;)" from file /usr/pbi/suricata-amd64/local/etc/suricata/suricata_50926_pppoe0/rules/suricata.rules at line 178
23/5/2014 -- 01:16:27 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http.
23/5/2014 -- 01:16:27 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox iframe and xul element reload crash attempt"; flow:to_server,established; file_data; content:"document.createElement|28 27|iframe|27 29|"; fast_pattern:only; content:"<frame"; content:".xul";="" content:".contentdocument.location.reload|28="" 29|";="" metadata:policy="" balanced-ips="" drop,="" policy="" connectivity-ips="" security-ips="" service="" smtp;="" reference:cve,2011-2982;="" classtype:attempted-user;="" sid:25228;="" rev:4;)"="" from="" file="" usr="" pbi="" suricata-amd64="" local="" etc="" suricata="" suricata_50926_pppoe0="" rules="" suricata.rules="" at="" line="" 180<br="">23/5/2014 -- 01:16:27 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http.</error></frame";></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> 

The last line repeats a ton of times.

ppp:

23/5/2014 -- 00:39:37 - <info>-- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
23/5/2014 -- 00:39:37 - <info>-- preallocated 65535 defrag trackers of size 112
23/5/2014 -- 00:39:37 - <info>-- defrag memory usage: 8912784 bytes, maximum: 33554432
23/5/2014 -- 00:39:37 - <info>-- AutoFP mode using "Active Packets" flow load balancer
23/5/2014 -- 00:39:37 - <info>-- preallocated 1024 packets. Total memory 4294656
23/5/2014 -- 00:39:37 - <info>-- allocated 98304 bytes of memory for the host hash... 4096 buckets of size 24
23/5/2014 -- 00:39:37 - <info>-- preallocated 1000 hosts of size 88
23/5/2014 -- 00:39:37 - <info>-- host memory usage: 186304 bytes, maximum: 16777216
23/5/2014 -- 00:39:37 - <info>-- allocated 1572864 bytes of memory for the flow hash... 65536 buckets of size 24
23/5/2014 -- 00:39:37 - <info>-- preallocated 10000 flows of size 208
23/5/2014 -- 00:39:37 - <info>-- flow memory usage: 3652864 bytes, maximum: 33554432
23/5/2014 -- 00:39:37 - <info>-- IP reputation disabled
23/5/2014 -- 00:39:37 - <info>-- Added "39" classification types from the classification file
23/5/2014 -- 00:39:37 - <info>-- Added "20" reference types from the reference.config file
23/5/2014 -- 00:39:37 - <info>-- using magic-file /usr/share/misc/magic
23/5/2014 -- 00:39:37 - <info>-- Delayed detect disabled
23/5/2014 -- 00:39:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http.
23/5/2014 -- 00:39:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX appendChild multiple parent nodes stack corruption attempt"; flow:to_server,established; file_data; content:"appendChild"; content:"setUserData"; fast_pattern:only; pcre:"/\x2esetUserdata\x28.*?\x2eappendchild\x28/si"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:cve,2011-2378; classtype:attempted-user; sid:25233; rev:3;)" from file /usr/pbi/suricata-amd64/local/etc/suricata/suricata_48439_ppp1/rules/suricata.rules at line 178
23/5/2014 -- 00:39:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http.
23/5/2014 -- 00:39:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox iframe and xul element reload crash attempt"; flow:to_server,established; file_data; content:"document.createElement|28 27|iframe|27 29|"; fast_pattern:only; content:"<frame"; content:".xul";="" content:".contentdocument.location.reload|28="" 29|";="" metadata:policy="" balanced-ips="" drop,="" policy="" connectivity-ips="" security-ips="" service="" smtp;="" reference:cve,2011-2982;="" classtype:attempted-user;="" sid:25228;="" rev:4;)"="" from="" file="" usr="" pbi="" suricata-amd64="" local="" etc="" suricata="" suricata_48439_ppp1="" rules="" suricata.rules="" at="" line="" 180<br="">23/5/2014 -- 00:39:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http.
23/5/2014 -- 00:39:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox IDB use-after-free attempt"; flow:established,to_server; file_data; content:"IDBKeyRange"; pcre:"/^\x2e(only|lowerBound|upperBound|bound)\x28.*?\x29.*?\x2e(lower|upper|lowerOpen|upperOpen)/Rsmi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0469; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=738985; classtype:attempted-user; sid:24574; rev:3;)" from file /usr/pbi/suricata-amd64/local/etc/suricata/suricata_48439_ppp1/rules/suricata.rules at line 183
23/5/2014 -- 00:39:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http.
23/5/2014 -- 00:39:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox IDB use-after-free attempt"; flow:established,to_server; file_data; content:"IDBKeyRange.lowerBound("; content:".upper"; within:20; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0469; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=738985; classtype:attempted-user; sid:24573; rev:3;)" from file /usr/pbi/suricata-amd64/local/etc/suricata/suricata_48439_ppp1/rules/suricata.rules at line 184
23/5/2014 -- 00:39:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http.</error></error></error></error></error></frame";></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> 

I can't enable Barnyard2 with MySQL (MariaDB 10) using root user and give pfsense authorization. Don't know why. Need populate Banyard2 database with Structure?

In Log Mgmt i can't save if i don't enable Auto Log Management, error: "The value for 'Unified2 Log Limit' must be an integer value greater than zero." shows a grayed out default integer value  (32) i change to 16 Mb but need to enable Auto Log Management to change and save.

I have to enable interfaces after reboot system, they start disable, maybe because are (ppp)oe? my hyper-v teste machine restart with interface enable (WAN - DHCPv4.)

Thanks

Those "invalid signature" errors are most likely due to running Snort VRT rules with Suricata.  Suricata can read and interpret most Snort VRT rules, but not all.  There are some rule options and keywords that only Snort recognizes and will process.  Suricata will perform better using one of the two Emerging Threats rules packages (ET-OPEN or ET-PRO).

Suricata does not properly recognize PPPoE interfaces.  This is a limitation of the underlying binary.  Hopefully it will be addressed by the upstream developers in future updates.

You do have to perform some manual setup steps in MySQL in order for Barnyard2 to connect and work.  Follow the instructions for configuring the database for Snorby. There are also some other tutorials on the web for running the Snort SQL script that will configure the DB for Barnyard2.

The LOGS MGMT tab issue is a bug.  I will take care of it, but it will be in the next release.  In the interim, you should be able to just enable the AUTO LOG MGMT feature.  It would be a good idea in your situation because you seem to have limited space on the /var partition where logs are stored.

Finally, rather than us cluttering up the 2.2 Snapshot issues thread with Suricata-specific issues, since Suricata now installs and will start up on 2.2, please post any follow-up issues with the package on 2.2 in the Packages sub-forum.

Thanks,
Bill

rcfa

@bmeeks:

Suricata does not properly recognize PPPoE interfaces.  This is a limitation of the underlying binary.  Hopefully it will be addressed by the upstream developers in future updates.

How about other types of "semi-virtual" interfaces: VPN connections, failover interfaces like laggN, etc.?
i.e. is this specific to PPPoE, or specific to anything that's not a "bare metal" interface?

bmeeks

@rcfa:

@bmeeks:

Suricata does not properly recognize PPPoE interfaces.  This is a limitation of the underlying binary.  Hopefully it will be addressed by the upstream developers in future updates.

How about other types of "semi-virtual" interfaces: VPN connections, failover interfaces like laggN, etc.?
i.e. is this specific to PPPoE, or specific to anything that's not a "bare metal" interface?

I don't know. I really do not have all the various interface types available to test on.  PPPoE was reported by users.  I just did some more detailed investigation a week or so back and found that it is an issue in the underlying Suricata binary.  FreeBSD (and thus, by extension, pfSense) reports a PPPoE interface as having Data Link Type NULL (or DLT_NULL).  Other operating systems report a PPP link with different Data Link Type codes.  Suricata is not currently written to support a returned Data Link Type of DLT_NULL.

Bill

rcfa

@bmeeks:

FreeBSD (and thus, by extension, pfSense) reports a PPPoE interface as having Data Link Type NULL (or DLT_NULL).  Other operating systems report a PPP link with different Data Link Type codes.  Suricata is not currently written to support a returned Data Link Type of DLT_NULL.

Is there an easy, user-level way of testing what Data Link Type various interfaces report?
A command like ifconfig or something like that?

bmeeks

@rcfa:

@bmeeks:

FreeBSD (and thus, by extension, pfSense) reports a PPPoE interface as having Data Link Type NULL (or DLT_NULL).  Other operating systems report a PPP link with different Data Link Type codes.  Suricata is not currently written to support a returned Data Link Type of DLT_NULL.

Is there an easy, user-level way of testing what Data Link Type various interfaces report?
A command like ifconfig or something like that?

If you mean determining what data link types Suricata supports, those are in the Suricata source code module.

#ifndef DLT_EN10MB
#define DLT_EN10MB 1
#endif

/* taken from pcap's bpf.h */
#ifndef DLT_RAW
#ifdef __OpenBSD__
#define DLT_RAW     14  /* raw IP */
#else
#define DLT_RAW     12  /* raw IP */
#endif
#endif

/** libpcap shows us the way to linktype codes
 * \todo we need more & maybe put them in a separate file? */
#define LINKTYPE_ETHERNET   DLT_EN10MB
#define LINKTYPE_LINUX_SLL  113
#define LINKTYPE_PPP        9
#define LINKTYPE_RAW        DLT_RAW
#define PPP_OVER_GRE        11
#define VLAN_OVER_GRE       13

As you see, DLT_NULL is not one of the support link types.

Bill

BBcan177

I think rcfa is asking if he can see the data stream like in wireshark to see what data link types are in his network?

rcfa

@BBcan177:

I think rcfa is asking if he can see the data stream like in wireshark to see what data link types are in his network?

Kind of both. Since I'm not familiar with low-level IP/network programming, I wasn't even aware of these Data Link Types. So when it first was said that it can't handle DLT_NULL I assumed that some interfaces just don't set a type (hence NULL), and that the software isn't able to handle that case.

From the code snippet however, it seems that there might be an (arbitrary?) number of DLTs, and that the software handles certain specific types, which seem to be DLT_RAW, DLT_EN10MB, 9, 11, 13, 113

Knowing that, the question is, given the various links I have (IPSec, OpenVPN, GRE tunnels, LAGG, etc.) how can I know (without trying to dissect source code), what link types these have, and thus, if the software will or won't work with them…

bmeeks

@rcfa:

@BBcan177:

I think rcfa is asking if he can see the data stream like in wireshark to see what data link types are in his network?

Kind of both. Since I'm not familiar with low-level IP/network programming, I wasn't even aware of these Data Link Types. So when it first was said that it can't handle DLT_NULL I assumed that some interfaces just don't set a type (hence NULL), and that the software isn't able to handle that case.

From the code snippet however, it seems that there might be an (arbitrary?) number of DLTs, and that the software handles certain specific types, which seem to be DLT_RAW, DLT_EN10MB, 9, 11, 13, 113

Knowing that, the question is, given the various links I have (IPSec, OpenVPN, GRE tunnels, LAGG, etc.) how can I know (without trying to dissect source code), what link types these have, and thus, if the software will or won't work with them…

Start a tcpdump capture on each interface and then quickly stop it.  The data link type will be printed in the header information tcpdump prints when it starts.

Bill