与Suricata的回环

Question

有没有办法用Suricata来分析回环流量？

我是这样做的，但没有成功：

root@security-onion:/home/sar/TFM/alerts/suricata# suricata -c /etc/suricata/suricata.yaml -i lo -l . -k none
7/9/2018 -- 19:32:25 - <Notice> - This is Suricata version 4.0.5 RELEASE
7/9/2018 -- 19:32:29 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to set feature via ioctl for 'lo': Operation not supported (95)
7/9/2018 -- 19:32:29 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
7/9/2018 -- 19:32:29 - <Error> - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Frame size bigger than block size
7/9/2018 -- 19:32:29 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
7/9/2018 -- 19:32:29 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-lo failed

这是suricata配置文件：suricata.yaml

有什么暗示吗？

Answer 1

如果您想在Pcap活动模式下运行，那么应该从suricata文件：suricata.yaml中关闭AF_PACKET模式。

# Linux high speed capture support
af-packet:
  - interface: lo

由于af-数据包捕获模式导致错误，可能没有正确配置.

7/9/2018 -- 19:32:29 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error