[Oisf-users] [FORGED] [FORGED] Broadcom NetXtreme II BCM5709 NIC

Russell Fulton r.fulton at auckland.ac.nz
Tue Oct 20 23:53:29 UTC 2015 

> On 21 Oct 2015, at 12:41, Leonard Jacobs <ljacobs at netsecuris.com> wrote:
> 
> So you are not running IPS mode of any sort because I only see one interface in your script?  I don't think offloading affects IDS mode.

Yes just IDS.   My understanding is that the offloading affect both.  I get warnings unless I disable it.

I could well be wrong on thata!

R

> 
> -----Original Message-----
> From: Russell Fulton [mailto:r.fulton at auckland.ac.nz] 
> Sent: Tuesday, October 20, 2015 6:25 PM
> To: Leonard Jacobs
> Cc: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] [FORGED] [FORGED] Broadcom NetXtreme II BCM5709 NIC
> 
> 
>> On 21 Oct 2015, at 12:15, Leonard Jacobs <ljacobs at netsecuris.com> wrote:
>> 
>> There is more than one offloading setting that needs to be disabled.
> 
> here is my script which puppet builds for each sensor
> 
> #!/bin/bash
> ethtool -K eth3 tso off
> ethtool -K eth3 gro off
> ethtool -K eth3 ufo off
> ethtool -K eth3 lro off
> ethtool -K eth3 gso off
> ethtool -K eth3 rx off
> ethtool -K eth3 tx off
> ethtool -K eth3 sg off
> ethtool -K eth3 rxvlan off
> ethtool -K eth3 txvlan off
> ethtool -N eth3 rx-flow-hash udp4 sdfn
> ethtool -N eth3 rx-flow-hash udp6 sdfn
> ethtool -C eth3 rx-usecs 1 rx-frames 0
> ethtool -C eth3 adaptive-rx off
> 
> which gets run on setup and in cron to run after each reboot.  ;)
> 
> If I have missed something I would love to know!
> 
> Russell
> 
>> 
>> -----Original Message-----
>> From: oisf-users-bounces at lists.openinfosecfoundation.org 
>> [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf 
>> Of Russell Fulton
>> Sent: Tuesday, October 20, 2015 3:28 PM
>> To: oisf-users at lists.openinfosecfoundation.org
>> Subject: Re: [Oisf-users] [FORGED] [FORGED] Broadcom NetXtreme II 
>> BCM5709 NIC
>> 
>> yet an other update.
>> 
>> Thanks to Leonard and Duarte for their suggestions.
>> 
>> I had it running with -i eth3 and it worked but dropped lots of packets since there was just one capture thread.  Then puppet updated the rules and restarted suricata with the ‘standard’ setup (i.e. afpacket) and it worked just fine.  <shrug>  Iam not sure what caused the original issue or what changed to resolve it.
>> 
>> I  just checked when I did turned of the ofloading on the NIC and verified that it failed again after I had done that.
>> 
>> What is clear that afpacket works fine with these NICs.
>> 
>> Russell
>> 
>>> On 20 Oct 2015, at 11:32, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
>>> 
>>> Up date on this:  I have just realised that I have an identical machine with broadcom NICs which is working fine with afpacket — I don’t remember doing anything special to get it going.
>>> 
>>> So the question now becomes what is actually wrong here?
>>> 
>>> Russell
>>> 
>>>> On 20 Oct 2015, at 10:13, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
>>>> 
>>>> Hi
>>>> 
>>>> I have just build an old Dell R610 which has broadcom NICs as a suricata sensor but when I start suri using AFpacket I get a bunch of errors:
>>>> 
>>>> Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Notice> - all 8 packet processing threads, 4 management threads initialized, engine started. 
>>>> Oct 19 00:30:03 secmonprd05 kernel: [618411.460572] device eth3 
>>>> entered promiscuous mode Oct 19 00:30:03 secmonprd05 suricata:
>>>> 19/10/2015 -- 00:30:03 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)]
>>>> - Coudn't set fanout mode, error Invalid argument Oct 19 00:30:03
>>>> secmonprd05 kernel: [618411.507293] device eth3 left promiscuous 
>>>> mode Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error Oct 19 00:30:03 secmonprd05 kernel: [618411.511313] device eth3 entered promiscuous mode Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Notice> - Signal Received.  Stopping engine.
>>>> Oct 19 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - 
>>>> <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Coudn't set fanout 
>>>> mode, error Invalid argument Oct 19 00:30:03 secmonprd05 last 
>>>> message repeated 6 times Oct 19 00:30:03 secmonprd05 suricata: 
>>>> 19/10/2015 --
>>>> 00:30:03 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't 
>>>> init AF_PACKET socket, fatal error Oct 19 00:30:03 secmonprd05
>>>> kernel: [618411.667074] device eth3 left promiscuous mode Oct 19
>>>> 00:30:03 secmonprd05 suricata: 19/10/2015 -- 00:30:03 - <Error> -
>>>> [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, 
>>>> fatal error Oct 19 00:30:03 secmonprd05 last message repeated 5 
>>>> times
>>>> 
>>>> I conclude that I cant use afpacket with these NICs. 
>>>> 
>>>> I am now running using plain old -i eth3 but we are dropping lots of packets.
>>>> 
>>>> There are a number of options I can try (buy another nic, pf_ring) but thought I would check that there isn’t anything I can do to get afpacket to work with these NICs.
>>>> 
>>>> Russell
>>>> _______________________________________________
>>>> Suricata IDS Users mailing list: 
>>>> oisf-users at openinfosecfoundation.org
>>>> Site: http://suricata-ids.org | Support: 
>>>> http://suricata-ids.org/support/
>>>> List: 
>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>> Suricata User Conference November 4 & 5 in Barcelona: 
>>>> http://oisfevents.net
>>> 
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: 
>>> http://suricata-ids.org/support/
>>> List: 
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> Suricata User Conference November 4 & 5 in Barcelona: 
>>> http://oisfevents.net
>> 
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: 
>> http://suricata-ids.org/support/
>> List: 
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona: 
>> http://oisfevents.net
>> 
> 
>

More information about the Oisf-users mailing list