Project

General

Profile

Actions
Copy link

Bug #6587

open

DPDK 'tap' mode doesn't alert on TCP protocol rules

Added by Francis Trudeau 11 months ago. Updated 11 months ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
Effort:
Difficulty:
Label:

Description

Tested using:

Suricata version 8.0.0-dev (d005fff7b 2023-11-24)
Suricata version 7.0.3-dev (aae6beaa5 2023-11-22)
Suricata version 7.0.3-dev (c8a7204b1 2023-11-02)

In a Debian 12 Qemu VM using either e1000 or virtio NICs.

Test sensor has two detection NICs, straddling two virtual networks. Each virtual network has a VM, one acting as a client (10.1.11.1/16) and one acting as a server (10.1.12.1/16). I ran inetsim on the 'server'.

I tried detecting SMTP, HTTP, DNS and FTP using the attached local.rules

I generated traffic with attached generate_detections.sh

When running Suricata using attached manual_dpdk_suricata.sh, I get no TCP protocol detections. See attached fast.dpdk.log.

When running Suricata using attached manual_bridge_suricata.sh, I get the expected detections. See attached fast.br0.log

Files

Download all files
suricata.dpdk.tap.yaml (83.3 KB) suricata.dpdk.tap.yaml Francis Trudeau, 11/29/2023 07:21 PM
local.rules (787 Bytes) local.rules Francis Trudeau, 11/29/2023 07:21 PM
suricata.dpdk.tap.log (23.6 KB) suricata.dpdk.tap.log Francis Trudeau, 11/29/2023 07:22 PM
manual_dpdk_suricata.sh (908 Bytes) manual_dpdk_suricata.sh Francis Trudeau, 11/29/2023 07:31 PM
generate_detections.sh (241 Bytes) generate_detections.sh Francis Trudeau, 11/29/2023 07:42 PM
manual_bridge_suricata.sh (681 Bytes) manual_bridge_suricata.sh Francis Trudeau, 11/29/2023 07:51 PM
fast.dpdk.log (2.69 KB) fast.dpdk.log Francis Trudeau, 11/29/2023 07:54 PM
fast.br0.log (6.09 KB) fast.br0.log Francis Trudeau, 11/29/2023 07:55 PM

Related issues 1 (1 open0 closed)

Related to Suricata - Bug #6588: DPDK 'ips' mode doesn't pass TCP trafficNewOISF DevActions
Actions
Copy link

Also available in: Atom PDF