[Oisf-devel] PF_RING, VLAN, and flow tracking
Victor Julien
victor at inliniac.net
Fri May 17 07:01:36 UTC 2013
On 05/05/2013 03:23 AM, Tritium Cat wrote:
> Hi.
>
> I'm having trouble running Suricata and I think it might be due to VLAN
> tagging.
>
> The environment has a different VLAN for each direction of traffic so
> the standard PF_RING clustering mode is not suitable.
>
> I patched runmode-pfring.c and source-pfring.h to allow a different
> cluster_type of "cluster_flow_5_tuple"; this setting uses PF_RINGs
> "cluster_per_flow_5_tuple" defined in kernel/linux/pf_ring.h. Those
> patches are attached to this email.
>
> Before this change I saw many many errors about invalid PPP packets and
> other similar bad things; afterwards I see lots of errors about invalid
> ACK and wrong direction. Now I'm thinking maybe there is something
> wrong with the flow tracking and VLAN tags. I read this mailing list
> discussion [1] about VLAN tags and flow tracking but I'm not sure at the
> moment how that applies to suricata-1.4.1... I think I may need to apply
> the patch which appears to force all flows into VLAN 0 ?
>
> Maybe my configuration is at fault, I've attached it to this email as well.
>
> tl;dr -- Ultimately I want to ignore the VLANs. [1] mentioned something
> about a global switch to disable VLAN consideration.. how does the
> current suricata-1.4.1 code handle them ? Should I apply the patch ?
In 1.4.1 Suricata decodes the vlan layer but doesn't do anything with
the vlan id. So it pretty much ignores vlans. This can cause issues as
it won't be able to distinguish flows with identical 5tuples. This may
also explain the alerts you get...
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list