[Oisf-users] Utilizing NetMap-Suricata on FreeBSD
Shane Boissevain
shaneboissevain at gmail.com
Fri Oct 23 15:44:57 UTC 2015
Howdy!
I'm attempting to utilize FreeBSD 10.1, Suricata 2.1beta4, and NetMap to
obtain an inline 10gb/s IDS. I have successfully:
1) setup FreeBSD as a layer 2 bridge (via ifconfig)
2) installed NetMap, confirming it works as expected
3) compiled and installed Suricata with NetMap support
I'm able to do any of 1, 2, or 3 - However, I seem to be unable to get all
three working simultaneously. While the bridge is up, turning on suricata
in NetMap=ix0 mode disables the passing of traffic. I can run suricata on
the bridge (not in NetMap mode) and get the expected result.
My next step was to try to use NetMap's bridge program in
/usr/src/tools/tools/netmap via:
# ./vale-ctl -n b0
# ./vale-ctl -n b1
# ./vale-ctl -a vale0:b0
# ./vale-ctl -a vale0:ix0
# ./vale-ctl -a vale1:b1
# ./vale-ctl -a vale1:ix1
# ./bridge -i netmap:ix0 -i netmap:ix1
At this point i now have a successful netmap-only bridge, that passes
traffic regardless of the status of FreeBSD's bridge. by running Suricata
with --netmap=b0 I'm able to inspect traffic at the expected rate with a 0%
drop rate from Suricata....but my passing of the traffic is spotty at best.
~1 to 2 dropped packets (inspected, but not passed) per 30 pings minimum.
At worst it can be closer to 25 out of 30 dropped pings.
My questions are:
1) Has anyone done this before?
2) Am i going about this all wrong?
3) What should be my next step in moving forward, or is this just a waste
of energy at this time.
Sincerely,
Shane Boissevain
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151023/d4b1f33b/attachment.html>
More information about the Oisf-users
mailing list