Not all mirrored traffic detected by sensor

[rasulovk]

Question
Is it some can setup maltrail sensor in docker and configure detection for all traffic ?

Support
I do mirror all my internet traffic to maltrail sensor, but for some reason it is not detect if client is not same as docker host.
When I do capture on interface I see that traffic capturing inside docker

tcpdump -i enP1p49s0 -n | grep 136.161.101.53 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enP1p49s0, link-type EN10MB (Ethernet), capture size 262144 bytes 16:54:53.162609 PPPoE [ses 0xf5d7] IP 100.65.87.152 > 136.161.101.53: ICMP echo request, id 1, seq 295, length 40 16:54:53.327258 PPPoE [ses 0xf5d7] IP 136.161.101.53 > 100.65.87.152: ICMP echo reply, id 1, seq 295, length 40

I doble check and disabled mirrored interface and try from docker host again to prove that detection works for SPAN port. Only when SPAN port enabled maltrail detect test "ping -n 1 136.161.101.53". Please advise what could be reason?

[MikhailKasimov]

Hello!

Check, please, is it the related issue: #19293 ?

[rasulovk]

Hi, very quick response :) no is not related to mentioned issue

[rasulovk]

[rasulovk]

Even my suricata see the traffic

Maybe sensor has issue with armv8 version?
I have pretty similar setup on x86 linux, traffic also SPAN from network device and I could see all the traffic .

[rasulovk]

I think I was wrong, when SPAN port is off and I execute ping from docker host I see alert, now is question why sensor not detect traffic from SPAN port? maybe it is parsing issue ? How I can debug the sensor?

[MikhailKasimov]

How I can debug the sensor?
https://github.com/stamparm/maltrail/blob/master/maltrail.conf#L138

[rasulovk]

Can I see if it traffic not parsed correctly ?

[rasulovk]

nothing in console :(

[rasulovk]

I did investigation and find out that mirror port has different message structure rather than normal traffic:
Mirror port output (this not detected):
` tcpdump -n -i enP1p49s0 | grep 136.161.101.53
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enP1p49s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

08:36:05.046677 PPPoE [ses 0xf5d7] IP 100.65.87.152 > 136.161.101.53: ICMP echo request, id 16648, seq 1, length 64

08:36:05.207349 PPPoE [ses 0xf5d7] IP 136.161.101.53 > 100.65.87.152: ICMP echo reply, id 16648, seq 1, length 64`

And output from eth0, docker host interface (this one detected):
` tcpdump -n -i eth0 | grep 136.161.101.53
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

08:36:26.050791 IP 10.9.10.202 > 136.161.101.53: ICMP echo request, id 16649, seq 1, length 64

08:36:26.212243 IP 136.161.101.53 > 10.9.10.202: ICMP echo reply, id 16649, seq 1, length 64`

Can u please check maybe how to may check if Mirrored traffic parsed correctly ?

[stamparm]

@rasulovk please capture that traffic (as far as i understand, inside the Docker container there is a problem) and provide back the PCAP - any ping or anything would do. I'll inspect if Maltrail is able to properly process it.

furthermore, basic test would be to run the sensor.py --console and then inside the docker dig or ping to the known conficker domain (e.g. dig yeszvf.com)

[rasulovk]

@stamparm Thanks a lot for succession, when I do ping from host itself I see the logs:
Maltrail (sensor) #v0.78 {https://maltrail.github.io}

[*] starting @ 19:07:18 /2025-02-05/

[i] using configuration file '/tmp/maltrail/maltrail.conf'
[i] using '/var/log/maltrail' for log storage
[i] using '/root/.maltrail/trails.csv' for trail storage (last modification: 'Wed, 05 Feb 2025 04:13:06 GMT')
[i] loading trails...
[i] 1,222,102 trails loaded
[i] opening interface 'enP1p49s0'
[i] opening interface 'eth0'
[i] setting capture filter 'udp or icmp or (tcp and (tcp[tcpflags] == tcp-syn or port 80 or port 1080 or port 3128 or port 8000 or port 8080 or port 8118))'
[i] preparing capture buffer...
[i] created 1 more processes (out of total 2)
[^] running...

"2025-02-05 19:12:17.770726" node02-rk1 10.9.10.202 - 136.161.101.53 - ICMP IP 136.161.101.53 "sinkhole conficker (malware)" (static)

But nothing detected from SPAN port, I will capture pcap now and paste it here

[rasulovk]

I want appreciate for help, it might be only my case, because I collect traffic from WAN interface of router, in case of fixing code related my issue will take a long time, just ignore my request :) I will close the issue:
https://github.com/rasulovk/blockalldns/raw/refs/heads/main/span.pcap