[Oisf-devel] PF_RING, VLAN, and flow tracking

Tritium Cat tritium.cat at gmail.com
Sun May 5 01:23:41 UTC 2013


I'm having trouble running Suricata and I think it might be due to VLAN

The environment has a different VLAN for each direction of traffic so the
standard PF_RING clustering mode is not suitable.

I patched runmode-pfring.c and source-pfring.h to allow a different
cluster_type of "cluster_flow_5_tuple"; this setting uses PF_RINGs
"cluster_per_flow_5_tuple" defined in kernel/linux/pf_ring.h.  Those
patches are attached to this email.

Before this change I saw many many errors about invalid PPP packets and
other similar bad things; afterwards I see lots of errors about invalid ACK
and wrong direction.  Now I'm thinking maybe there is something wrong with
the flow tracking and VLAN tags.  I read this mailing list discussion [1]
about VLAN tags and flow tracking but I'm not sure at the moment how that
applies to suricata-1.4.1... I think I may need to apply the patch which
appears to force all flows into VLAN 0 ?

Maybe my configuration is at fault, I've attached it to this email as well.

tl;dr -- Ultimately I want to ignore the VLANs.  [1] mentioned something
about a global switch to disable VLAN consideration.. how does the current
suricata-1.4.1 code handle them ?  Should I apply the patch ?

Thanks for the help and software.




05/04/2013-15:26:45.676424  [**] [1:2210029:1] SURICATA STREAM ESTABLISHED
invalid ack [**] [Classification: (null)] [Priority: 3] {TCP}

05/04/2013-15:26:37.302138  [**] [1:2210000:1] SURICATA STREAM 3way
handshake with ack in wrong dir [**] [Classification: (null)] [Priority: 3]

05/04/2013-15:26:45.676427  [**] [1:2210045:1] SURICATA STREAM Packet with
invalid ack [**] [Classification: (null)] [Priority: 3] {TCP}

778:typedef enum {
779:  cluster_per_flow = 0,     /* 6-tuple: <src ip, src port, dst ip, dst
port, proto, vlan>  */
780:  cluster_round_robin,
781:  cluster_per_flow_2_tuple, /* 2-tuple: <src ip,           dst ip
                >  */
782:  cluster_per_flow_4_tuple, /* 4-tuple: <src ip, src port, dst ip, dst
port             >  */
783:  cluster_per_flow_5_tuple, /* 5-tuple: <src ip, src port, dst ip, dst
port, proto      >  */
784:  cluster_per_flow_tcp_5_tuple, /* 5-tuple only with TCP, 2 tuple with
all other protos   */
785:} cluster_type;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20130504/0b18b3eb/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: runmode-pfring.c.patch
Type: application/octet-stream
Size: 1224 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20130504/0b18b3eb/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: source-pfring.h.patch
Type: application/octet-stream
Size: 360 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20130504/0b18b3eb/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricata.yaml
Type: application/octet-stream
Size: 33060 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20130504/0b18b3eb/attachment-0005.obj>

More information about the Oisf-devel mailing list