[Oisf-users] Issues with Application Layer Filtering
Jason Batchelor
jxbatchelor at gmail.com
Fri Jun 6 20:14:40 UTC 2014
Hello:
After having no luck with PF_RING (see email on File Extraction Woes) I
decided to recompile a new kernel (3.14.5) on my CentOS machine and give
AF_PACKET a shot. I am happy to report that the total loss is at a much
more manageable level.
Unfortunately, I seemed to have encountered a different issue concerning
filtering and alerting at the application layer. Suri seems to have a
difficult time working with HTTP rules I create as well as logging when run
on the wire.
For example, take the following rule...
alert tcp any any -> 216.34.181.45 any (msg:"This is a test TCP Rule";
flow:established,to_server; content:"slashdot.org"; http_header; sid:9998;
rev:1;)
When running Suri on the wire. This alert will simply not fire at all.
Moreover, I notice on several occasions the requests are not logged
properly to http.log. This of course, has an amplifying effect on file
extraction where samples are truncated at best, and at worst not ever
logged.
I decided to test things by taking the same data as a pcap, and running it
against Suri...
/usr/bin/suricata -c /etc/suricata/suricata.yaml --runmode single -r
slashdot.pcap
At this point, Suri does detect on the traffic in the PCAP.
So it would seem the issue is isolated to traffic on the wire. I decided to
check the following parameters to see if there were any issues...
Example thread (1 of 16).
capture.kernel_packets | AFPacketp4p21 | 60645314
capture.kernel_drops | AFPacketp4p21 | 71483
tcp.segment_memcap_drop | AFPacketp4p21 | 0
tcp.reassembly_memuse | AFPacketp4p21 | 1306325000
decoder.invalid | AFPacketp4p21 | 0
Seems fine to me, and the rest of the threads are more/less the same.
Now if I take a non application layer rule, like a simple ICMP rule below...
alert icmp $MY_IP_ADDRESS any -> any any (msg:"This is a test ICMP Rule";
sid:9999; rev:1;)
I hit reliably both on the wire and on a pcap. This is why I feel there has
to be some issue with application layer processing. I am somewhat perplexed
by this and seek any guidance those with more experience may be able to
give. Thanks in advance!
Here are some additional config attributes that might be helpful.
== Suri Config==
runmode: workers
host-mode: sniffer-only
default-packet-size: 9000
## Stream Settings ##
stream:
memcap: 1gb
checksum-validation: no
prealloc-sessions: 10000000
inline: no
reassembly:
memcap: 2gb
depth: 6mb # reassemble 1mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes
#randomize-chunk-range: 10
#raw: yes
chunk-prealloc: 100000
segments:
- size: 4
prealloc: 100000
- size: 16
prealloc: 100000
- size: 112
prealloc: 500000
- size: 248
prealloc: 250000
- size: 512
prealloc: 100000
- size: 768
prealloc: 50000
- size: 1448
prealloc: 300000
- size: 65535
prealloc: 3000
### Flow Timeouts Snip ###
tcp:
new: 60
established: 120
closed: 30
emergency-new: 10
emergency-established: 10
emergency-closed: 10
### Flow ###
flow:
memcap: 1gb
hash-size: 1048576
prealloc: 1048576
emergency-recovery: 30
### Detect Engine ###
detect-engine:
- profile: custom
- custom-values:
toclient-src-groups: 200
toclient-dst-groups: 200
toclient-sp-groups: 200
toclient-dp-groups: 300
toserver-src-groups: 200
toserver-dst-groups: 400
toserver-sp-groups: 200
toserver-dp-groups: 250
- sgh-mpm-context: auto
- inspection-recursion-limit: 3000
Using the following hardware:
== Hardware Specs ==
CPU: Intel Xeon CPU @ 2.40Ghz x 32
RAM: 48G
NIC:
*-network:1
description: Ethernet interface
product: Ethernet 10G 2P X520 Adapter
vendor: Intel Corporation
physical id: 0.1
bus info: pci at 0000:42:00.1
logical name: p4p2
version: 01
serial: a0:36:9f:07:ec:02
capacity: 1GB/s
width: 64 bits
clock: 33MHz
capabilities: pm msi msix pciexpress vpd bus_master cap_list rom
ethernet physical fibre 1000bt-fd autonegotiation
configuration: autonegotiation=on broadcast=yes driver=ixgbe
driverversion=3.19.1-k duplex=full firmware=0x8000030d latency=0 link=yes
multicast=yes port=fibre
resources: irq:76 memory:d0f00000-d0f7ffff ioport:7ce0(size=32)
memory:d0ffc000-d0ffffff memory:d1100000-d117ffff memory:d1380000-d147ffff
memory:d1480000-d157ffff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140606/3aa28a28/attachment.html>
More information about the Oisf-users
mailing list