Autosuricata icon indicating copy to clipboard operation
Autosuricata copied to clipboard

Published 20 hours ago verified publisher icon da667

af-packet not working

Open Shootace opened this issue 6 years ago • 4 comments

I had issues trying to install Snort (I have issue open on that). So I went the Suricata route. I have 3 network interfaces (enp0s3, enp0s8, and enp0s9). I entered enp0s8 and enp0s9 in the full_autosuricata.conf file. Installation of Suricata is successful, reboots. The ps -ef|grep suricata command displays the proper info per the Building VMs book. But my Metasploitable 2 VM still does not acquire a DHCP address from the pfsense VM. It seems the bridge isn't working. I tried modifying the af-packet.yaml file and changing the copy-mode option from ips to "tap". Did not make a difference. I also downloaded the rules from emerging threats and started Suricata, but still no bridging of ips1 and ips2 networks. The Kali VM does acquire a DHCP address from pfsense.

Shootace avatar Dec 29 '18 23:12 Shootace

Can you run ifconfig -a on the Suricata box and show me the output for enp0s8 and enp0s9? What hypervisor are you using?

On Sat, Dec 29, 2018, 6:32 PM Shootace <[email protected] wrote:

I had issues trying to install Snort (I have issue open on that). So I went the Suricata route. I have 3 network interfaces (enp0s3, enp0s8, and enp0s9). I entered enp0s8 and enp0s9 in the full_autosuricata.conf file. Installation of Suricata is successful, reboots. The ps -ef|grep suricata command displays the proper info per the Building VMs book. But my Metasploitable 2 VM still does not acquire a DHCP address from the pfsense VM. It seems the bridge isn't working. I tried modifying the af-packet.yaml file and changing the copy-mode option from ips to "tap". Did not make a difference. I also downloaded the rules from emerging threats and started Suricata, but still no bridging of ips1 and ips2 networks. The Kali VM does acquire a DHCP address from pfsense.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/da667/Autosuricata/issues/1, or mute the thread https://github.com/notifications/unsubscribe-auth/ACFvf7NrRH4kqiqhOoN8R-Ywn5MHN4Mqks5u9_umgaJpZM4Zkv_u .

da667 avatar Dec 29 '18 23:12 da667

Here you go. Using VirtualBox. img_7038

Shootace avatar Dec 30 '18 00:12 Shootace

I don't know how it happened but enp0s8 shouldn't have an IP address. Additionally, enp0s8 and s9 should have the flags noarp. Promisc. And up. Neither should have an IP address. This is probably why bridging is failing.

Delete enp0s8 and s9 from /etc/network/interfaces entirely, reboot your system, and run ifconfig again.

On Sat, Dec 29, 2018, 7:11 PM Shootace <[email protected] wrote:

Here you go. Using VirtualBox. [image: img_7038] https://user-images.githubusercontent.com/46234434/50543161-73ad0280-0b9d-11e9-82cd-11ee2a6a9b9a.jpg

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/da667/Autosuricata/issues/1#issuecomment-450530068, or mute the thread https://github.com/notifications/unsubscribe-auth/ACFvf_QcebJlr3OEqJ0B9_NvYpYFGs7vks5u-ASagaJpZM4Zkv_u .

da667 avatar Dec 30 '18 00:12 da667

For anyone who comes along down the line, your interfaces may now be in /etc/netplan/*-installer-config.yaml. Fix here is still the same - delete the 2nd and 3rd interface and reboot. Make sure promiscuous mode is enabled; can enable it on the first interface with sudo ifconfig ens32 promis (Fusion Pro seemed to need a kick to prompt/activate it).

andrew-kline avatar Feb 21 '21 12:02 andrew-kline