Hi,
When I run snort in inline mode with daq afpacket, everything looks good when I test via ICMP. I can ping through the snort VM no problem. If I set a rule to drop ICMP, this works too, no packets get through. Works nicely.
However, as soon as I switch to TCP, issues arise. When I attempt "curl
192.168.101.20:8080", I see a TCP SYN packet arrive on the victim but that's all I get. The victim does not respond at all. The service is running on 8080 and works locally:
root@victim-525400a86514:~# curl
192.168.101.20:8080{"timestamp":"2025-05-01T10:22:05.642+00:00","status":400,"error":"Bad Request","path":"/"}root@victim-525400a86514:~#
Here is the arp entry on the victim (which maps to eth0 on the attacker):
root@victim-525400a86514:~# arp -a
? (192.168.101.10) at 52:54:00:a8:65:0a [ether] on eth0
My test environment is in libvirt/kvm and looks like this:
# ┌───────────────────────────────────────────────────────────────────────┐
# │ VIRTUAL TEST NETWORK TOPOLOGY │
# │ │
# │ │ │
# │ ▼ │
# │ ┌──────────────────────┐ │
# │ │ Inspector (VM) │ │
# │ │ │ │
# │ │ eth1 → attack │ │
# │ │ eth2 → victim │ │
# │ └──────────────────────┘ │
# │ ▲ ▲ │
# │ │ │ │
# │ ┌──────────────────┘ └──────────────────┐ │
# │ ▼ ▼ │
# │ ┌────────────────────┐ ┌─────────────────────┐ │
# │ │ Kali (Attacker VM) │ │ Victim (VM) │ │
# │ │ eth0 → attack │ │ eth0 → victim │ │
# │ └────────────────────┘ └─────────────────────┘ │
# └───────────────────────────────────────────────────────────────────────┘
I was wondering if this is the right way to set up the env in KVM, with a different bridge on either side of the snort VM.
I'm using these snort command line args:
-q -k none -Q -i eth1:eth2 -c /etc/snort/snort.lua --daq afpacket --daq-var=buffer_size_mb=256 --daq-mode inline
Here's a full dump of my kvm/libvirt info.
╔═══════════════════════════════════════════════════════════════╗
║ HOST INFORMATION ║
╚═══════════════════════════════════════════════════════════════╝
CPU Model: AMD EPYC 4244P 6-Core Processor
CPU Cores: 12
Memory: 62GB
Kernel: 6.8.0-53-generic
Libvirt: libvirt 10.0.0
QEMU: QEMU 10.0.0
Gathering host network interfaces...
Gathering bridge information...
╔═══════════════════════════════════════════════════════════════╗
║ NETWORK INTERFACES ║
╚═══════════════════════════════════════════════════════════════╝
INTERFACE MAC ADDRESS STATE TYPE CONNECTED TO
---------------------------------------------------------------------------------
lo 00:00:00:00:00:00 UNKNOWN Loopback -
enp1s0f0np0 9c:6b:00:66:f4:4b UP Physical NIC -
enp1s0f1np1 9c:6b:00:67:04:8e DOWN Physical NIC -
virbr0 52:54:00:7e:c9:1d UP Libvirt Bridge -
br-b5902ae99d0d 02:42:93:b3:53:f8 UP Bridge -
br-b85c3763b14a 02:42:6b:71:14:a4 UP Bridge -
docker0 02:42:ff:76:45:c8 DOWN Other -
vethff09f03@if12 Other -
veth8854d1e@if14 Other -
veth8503094@if16 Other -
veth8d0d5d9@if18 Other -
br-attack-01 0e:4c:61:1d:99:6e DOWN Bridge -
br-victim-01 02:37:90:40:60:a2 DOWN Bridge -
t1-attack-br 8e:ef:6c:46:13:06 UP Other -
t1-victim-br a2:e3:4a:b2:4f:0b UP Other -
vnet6 fe:54:00:a8:65:0a UNKNOWN VM Interface t1-attack-br
vnet7 fe:54:00:a8:65:14 UNKNOWN VM Interface t1-victim-br
vnet8 fe:54:00:a8:7a:03 UNKNOWN VM Interface virbr0
vnet9 fe:54:00:a8:65:0b UNKNOWN VM Interface t1-attack-br
vnet10 fe:54:00:a8:65:0c UNKNOWN VM Interface t1-victim-br
vnet11 fe:54:00:a8:7a:02 UNKNOWN VM Interface virbr0
╔═══════════════════════════════════════════════════════════════╗
║ BRIDGE INFORMATION ║
╚═══════════════════════════════════════════════════════════════╝
BRIDGE STP INTERFACES
------------------------------------------------------------------------
br-attack-01 no br-b5902ae99d0d 8000.024293b353f8 no veth8503094, veth8d0d5d9, vethff09f03, br-b85c3763b14a 8000.02426b7114a4 no veth8854d1e, br-victim-01 8000.0237904060a2 no , docker0 8000.0242ff7645c8 no , t1-attack-br 8000.8eef6c461306 no vnet6, vnet9, t1-victim-br 8000.a2e34ab24f0b no vnet10, vnet7, virbr0 8000.5254007ec91d yesvnet11, vnet8
Gathering libvirt network information...
╔═══════════════════════════════════════════════════════════════╗
║ LIBVIRT NETWORKS ║
╚═══════════════════════════════════════════════════════════════╝
NAME STATE AUTOSTART BRIDGE IP ADDRESS
-----------------------------------------------------------------------
default yes yes virbr0 52:54:00:7e:c9:1d
t1-attack yes yes t1-attack-br -
t1-victim yes yes t1-victim-br -
Gathering virtual machine information...
╔═══════════════════════════════════════════════════════════════╗
║ VIRTUAL MACHINES ║
╚═══════════════════════════════════════════════════════════════╝
NAME STATE AUTOSTART MEMORY VCPUS
------------------------------------------------------------------
t1-attacker running disable 2.0GB 2
t1-victim running disable 4.0GB 2
t1-inspector running disable 8.0GB 4
╔═══════════════════════════════════════════════════════════════╗
║ VM NETWORK INTERFACES ║
╚═══════════════════════════════════════════════════════════════╝
VM NAME MAC ADDRESS TYPE CONNECTION
------------------------------------------------------------------
t1-attacker 52:54:00:a8:65:0a bridge bridge: t1-attack-br
t1-victim 52:54:00:a8:65:14 bridge bridge: t1-victim-br
t1-inspector 52:54:00:a8:7a:03 bridge bridge: virbr0
t1-inspector 52:54:00:a8:65:0b bridge bridge: t1-attack-br
t1-inspector 52:54:00:a8:65:0c bridge bridge: t1-victim-br
╔═══════════════════════════════════════════════════════════════╗
║ LIBVIRT LOGICAL NETWORK DIAGRAM ║
╚═══════════════════════════════════════════════════════════════╝
PHYSICAL HOST
┌───────────────────────────────────┐
│ │
│ lo │
│ enp1s0f0np0 │
│ enp1s0f1np1 │
│ virbr0 │
│ br-b5902ae99d0d │
│ br-b85c3763b14a │
│ docker0 │
│ vethff09f03@if12 │
│ veth8854d1e@if14 │
│ veth8503094@if16 │
│ veth8d0d5d9@if18 │
│ br-attack-01 │
│ br-victim-01 │
│ t1-attack-br │
│ t1-victim-br │
│ vnet6 ──────────────────────────► t1-attack-br
│ vnet7 ──────────────────────────► t1-victim-br
│ vnet8 ──────────────────────────► virbr0
│ vnet9 ──────────────────────────► t1-attack-br
│ vnet10 ──────────────────────────► t1-victim-br
│ vnet11 ──────────────────────────► virbr0
│ │
└───────────────────────────────────┘
BRIDGE: br-attack-01
┌───────────────────────────────────┐
│ │
│ veth8d0d5d9 │
│ vethff09f03 │
│ vnet9 │
│ vnet7 │
│ │
└───────────────────────────────────┘
BRIDGE: br-b5902ae99d0d
┌───────────────────────────────────┐
│ │
│ veth8d0d5d9 │
│ vethff09f03 │
│ vnet9 │
│ vnet7 │
│ │
└───────────────────────────────────┘
BRIDGE: br-b85c3763b14a
┌───────────────────────────────────┐
│ │
│ vnet9 │
│ vnet7 │
│ vnet8 │
│ │
└───────────────────────────────────┘
BRIDGE: br-victim-01
┌───────────────────────────────────┐
│ │
│ vnet9 │
│ vnet7 │
│ vnet8 │
│ │
└───────────────────────────────────┘
BRIDGE: docker0
┌───────────────────────────────────┐
│ │
│ vnet9 │
│ vnet7 │
│ vnet8 │
│ │
└───────────────────────────────────┘
BRIDGE: t1-attack-br
┌───────────────────────────────────┐
│ │
│ vnet9 │
│ vnet7 │
│ vnet8 │
│ │
└───────────────────────────────────┘
BRIDGE: t1-victim-br
┌───────────────────────────────────┐
│ │
│ vnet7 │
│ vnet8 │
│ │
└───────────────────────────────────┘
BRIDGE: virbr0
┌───────────────────────────────────┐
│ │
│ vnet8 │
│ │
└───────────────────────────────────┘
LIBVIRT NETWORK: default (bridge: virbr0)
┌───────────────────────────────────┐
│ │
│ │
└───────────────────────────────────┘
LIBVIRT NETWORK: t1-attack (bridge: t1-attack-br)
┌───────────────────────────────────┐
│ │
│ │
└───────────────────────────────────┘
LIBVIRT NETWORK: t1-victim (bridge: t1-victim-br)
┌───────────────────────────────────┐
│ │
│ │
└───────────────────────────────────┘
Would really appreciate any insights into what might be going wrong here. Been stuck on this for a few days now.
Cheers,
Jason