[Oisf-users] NETMAP guide - suricata.yaml

elof2 at sentor.se elof2 at sentor.se
Thu Apr 7 13:12:21 UTC 2016 

So, I'll start with a bunch of "stupid" questions.
I'll put together your replies to a wiki-page for NETMAP.

##########################################################################

I copy the netmap section of suricata.yaml and insert my questions
inline:

> netmap:
>    # To specify OS endpoint add plus sign at the end (e.g. "eth0+")
>  - interface: ix1

What is the actual difference between specifying "ix1" or "ix1+"?
With "ix1", the *physical* RX packets to ix1 are captured, while "ix1+" 
rather captures them from the kernel tcp/ip-stack?


>    # Number of receive threads. "auto" uses number of RSS queues on interface.
>    threads: auto
>
>    # You can use the following variables to activate netmap tap or IPS mode.
>    # If copy-mode is set to ips or tap, the traffic coming to the current
>    # interface will be copied to the copy-iface interface.

"If copy-mode is set to ips or tap" it says.
Are there any other copy-modes?

>    # If 'tap' is set, the copy is complete.
>    # If 'ips' is set, the packet matching a 'drop' action will not be copied.
>    # To specify the OS as the copy-iface (so the OS can route packets, or forward
>    # to a service running on the same machine) add a plus sign at the end
>    # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0
>    # for return packets. Hardware checksumming must be *off* on the interface if
>    # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD
>    # or 'ethtool -K eth0 tx off rx off' for Linux).
>    #copy-mode: tap
>    #copy-iface: ix1

In IDS mode, do we even need to specify any copy-interface?



In IPS mode I guess this is how one would configure it? :
  - interface: default
    threads: auto
    copy-mode: ips
  - interface: ix0
    copy-iface: ix1
  - interface: ix1
    copy-iface: ix0



Again, what's the difference between "ix1" and "ix1+" here?
I imagine it has to do with either a *physical TX* on the copy-interface 
or passing the packet to the kernel tcp/ip stack for normal processing.



    # Set to yes to disable promiscuous mode
    # disable-promisc: no
    # Choose checksum verification mode for the interface. At the moment
    # of the capture, some packets may be with an invalid checksum due to
    # offloading to the network card of the checksum computation.
    # Possible values are:
    #  - yes: checksum validation is forced
    #  - no: checksum validation is disabled
    #  - auto: suricata uses a statistical approach to detect when
    #  checksum off-loading is used.
    # Warning: 'checksum-validation' must be set to yes to have any validation
    #checksum-checks: auto
    # BPF filter to apply to this interface. The pcap filter syntax apply here.
    #bpf-filter: port 80 or udp
  #- interface: eth3
    #threads: auto
    #copy-mode: tap
    #copy-iface: eth2
    # Put default values here
  - interface: default






If you run suricata in IDS mode and you specify multiple sniffer 
interfaces (ix0 and ix1) in the netmap section in suricata.yaml...

a)
Will suricata sniff on all interfaces simultaneously?

b)
If the sensor receive a mirrored SYN packet on ix0 queue 2 and the 
corresponding SYN-ACK is mirrored to ix1, queue 3.

Will everything work fine in suricata, building the state/flow/stream 
correctly even though the SYN and SYNACK (and the rest of the 
connection) are received on different sniffer interfaces?


/Elof






On Thu, 10 Mar 2016, elof2 at sentor.se wrote:

> Hi all, especially FreeBSD users.
>
> In the docs directory there's an old textfile for FreeBSD 8.
>
> I would greatly appreciate if the FreeBSD users merged together an updated 
> textfile with hints, tips and tricks for FreeBSD 10.x/11.x, with the new 
> NETMAP support.
>
>
>
> Examples of topics I'd like:
>
> What hardware (NICs) is known to work good?
>
> rc.conf
> - give examples and explain that e.g. options "-lro" and "monitor" should be 
> used (for IDS mode)
>
>
> What tweaks to put in /etc/sysctl.conf (and /boot/loader.conf???).
> - net.bpf.zerocopy_enable=1 ?
> - net.bpf.maxbufsize= huge numer? How large? 15% of total RAM?
> - kern.ipc.maxsockbuf? kern.threads.max_threads_per_proc? dev.ix.0.fc=0? - 
> etc
>
>
> What config/tweaks to put in suricata.yaml
> - specifically for NETMAP
> - Mapping CPUs to queues
> - recommended runmode
> - etc
>
>
>
> If you people can feed me your thoughts and experiences, I'm happy to put 
> together a new textfile (FreeBSD.NETMAP.txt) for the docs dir.
>
>
>
>
> It's time to show the world that linux+PF-RING isn't the only way to go.
>
> /Elof
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: 
> http://oisfevents.net

More information about the Oisf-users mailing list