English Forums > Intrusion Detection and Prevention

Suricata and loopback interface

(1/1)

cmdr.adama:
Hi all,

I am in a little bit of a predicament at the moment with my Suricata set up on 20.1.1. Everything seems to be running fine when I just have Suricata set to monitor the LAN interface however when I add my newly created lo1 loopback interface it crashes.

A bit of backstory, I have the FW running in AWS and am mainly using suricata to inspect HTTP/HTTPS traffic coming in from the internet. I have SSL Offloading sending the unencrypted traffic to the loopback interface then back in to re-encrypt to then send to the webserver.


--- Code: ---2020-03-05T13:55:21 suricata: [101218] <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting...
2020-03-05T13:55:21 suricata: [101218] <Error> -- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "W#01-lo1" failed to initialize: flags 0145
2020-03-05T13:55:21 suricata: [100885] <Error> -- [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - Couldn't query netmap for lo1, error Invalid argument
2020-03-05T13:55:21 suricata: [101218] <Error> -- [ERRCODE: SC_ERR_SYSCALL(50)] - Unable to set caps for iface "lo1": Operation not supported
2020-03-05T13:55:21 suricata: [101218] <Error> -- [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - Couldn't query netmap for lo1, error Invalid argument
2020-03-05T13:55:21 suricata: [101218] <Error> -- [ERRCODE: SC_ERR_SYSCALL(50)] - Unable to set caps for iface "lo1": Operation not supported
2020-03-05T13:55:21 suricata: [100884] <Error> -- [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - Couldn't query netmap for lo1, error Invalid argument
2020-03-05T13:55:21 suricata: [101218] <Error> -- [ERRCODE: SC_ERR_SYSCALL(50)] - Unable to set caps for iface "lo1": Operation not supported
2020-03-05T13:55:21 suricata: [101218] <Error> -- [ERRCODE: SC_ERR_SYSCALL(50)] - Unable to set caps for iface "lo1": Operation not supported
2020-03-05T13:55:21 suricata: [101218] <Error> -- [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - Couldn't query netmap for lo1, error Invalid argument
--- End code ---

What am I missing? Is there a way to get Suricata working with a loopback interface?

cmdr.adama:
Hopefully with some more info I might get some more interest in solving the issue.
 I have attached the settings in Suricata and the loopback interface...

I can also see from the console that the PROMISC and PPROMISC tags have been assigned to the lo1 interface...


--- Code: ---lo1: flags=28149<UP,LOOPBACK,RUNNING,PROMISC,MULTICAST,PPROMISC> metric 0 mtu 16384
        options=600000<RXCSUM_IPV6,TXCSUM_IPV6>
        inet 10.1.1.1 netmask 0xffffffff
        inet6 fe80::1%lo1 prefixlen 64 scopeid 0x6
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo
--- End code ---

siga75:
why don't you use a reverse proxy for that work? nginx is perfect for this, you can terminate your SSL there

AdSchellevis:

--- Quote ---Hopefully with some more info I might get some more interest in solving the issue.

--- End quote ---

IPS mode is only supported on real (physical) interfaces, as described in the docs https://docs.opnsense.org/manual/ips.html#general-setup

Best regards,

Ad

cmdr.adama:

--- Quote from: siga75 on March 06, 2020, 01:10:46 pm ---why don't you use a reverse proxy for that work? nginx is perfect for this, you can terminate your SSL there

--- End quote ---

That's exactly what I am doing... Except via Haproxy... The idea is I am wanting to SSL offload the inbound HTTPS traffic, inspect via Suricata and re-encrypt to be sent to the Webserver.


--- Quote from: AdSchellevis on March 06, 2020, 02:59:43 pm ---
--- Quote ---Hopefully with some more info I might get some more interest in solving the issue.

--- End quote ---

IPS mode is only supported on real (physical) interfaces, as described in the docs https://docs.opnsense.org/manual/ips.html#general-setup

Best regards,

Ad

--- End quote ---

Ah well that sucks... I was hoping to be able to do inspection of HTTPS traffic as per my explanation above. Unless promiscuous mode on the LAN would still see the loopback traffic but would IPS still work on traffic Going through the loopback or just detect it...

Navigation

[0] Message Index

Go to full version