Loopback with Suricata

Question

Is there any way of analyzing loopback traffic with Suricata?

I am trying it this way without success:

root@security-onion:/home/sar/TFM/alerts/suricata# suricata -c /etc/suricata/suricata.yaml -i lo -l . -k none
7/9/2018 -- 19:32:25 - <Notice> - This is Suricata version 4.0.5 RELEASE
7/9/2018 -- 19:32:29 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to set feature via ioctl for 'lo': Operation not supported (95)
7/9/2018 -- 19:32:29 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
7/9/2018 -- 19:32:29 - <Error> - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Frame size bigger than block size
7/9/2018 -- 19:32:29 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
7/9/2018 -- 19:32:29 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-lo failed

This is the suricata configuration file: suricata.yaml

Any hint?

score 0 · Accepted Answer · answered Sep 12 '18 at 15:08

If you wanna run in Pcap live mode then you should turn-ff AF_PACKET mode from suricata configuration file: suricata.yaml.

# Linux high speed capture support
af-packet:
  - interface: lo

you got error because of af-packet packet capturing mode, probably not configure properly.

7/9/2018 -- 19:32:29 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error

Loopback with Suricata

1 Answers1