[Oisf-users] Suricata, traffic not passing (PF_RING)

Romagnoli Andrea andrea.romagnoli at it.telecomitalia.it
Mon Jul 4 15:21:44 UTC 2016 

Hello everyone. We installed Suricata 3.1 (stable) with PF_RING 6.4.0 on a server with Ubuntu 14.04.1, and our aim is to try Suricata in inline IPS mode.
On our server we have a management interface (p1p1), and two interfaces linked to IXIA Breaking Point (IN: p4p1, OUT: p4p2), configured as follow (cat /etc/network/interfaces):

auto lo
iface lo inet loopback

# The primary network interface
auto p1p1
iface p1p1 inet static
address XXX.XXX.XXX.XXX
netmask 255.255.255.0
network XXX.XXX.XXX.XXX
gateway XXX.XXX.XXX.XXX
dns-nameservers XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
dns-namesearch YYYYYYYYY

# TRAFFIC_IN
auto p4p1
iface p4p1 inet manual
    up ifconfig $IFACE 0.0.0.0 up
    up ip link set $IFACE promisc on
    post-up ethtool -K $IFACE gro off
    post-up ethtool -K $IFACE lro off
    down ip link set $IFACE promisc off
    down ifconfig $IFACE down
    mtu 1500

# TRAFFIC_OUT
auto p4p2
iface p4p2 inet manual
    up ifconfig $IFACE 0.0.0.0 up
    up ip link set $IFACE promisc on
    post-up ethtool -K $IFACE gro off
    post-up ethtool -K $IFACE lro off
    down ip link set $IFACE promisc off
    down ifconfig $IFACE down
    mtu 1500

We tried both with standard ixgbe and PF_RING ZC's ixgbe Intel drivers, but apparently something is going wrong.
In fact Suricata starts without errors, but the traffic doesn't reach the p4p2 interface.

$ sudo suricata -c /etc/suricata/suricata.yaml --pfring -v
4/7/2016 -- 16:06:21 - <Notice> - This is Suricata version 3.1 RELEASE
4/7/2016 -- 16:06:21 - <Info> - CPUs/cores online: 40
4/7/2016 -- 16:06:21 - <Info> - Found an MTU of 1500 for 'p4p1'
4/7/2016 -- 16:06:21 - <Info> - Found an MTU of 1500 for 'p4p2'
4/7/2016 -- 16:06:21 - <Info> - Loading rule file: /etc/suricata/rules/botcc.rules
4/7/2016 -- 16:06:21 - <Info> - Loading rule file: /etc/suricata/rules/ciarmy.rules
4/7/2016 -- 16:06:21 - <Info> - Loading rule file: /etc/suricata/rules/compromised.rules
4/7/2016 -- 16:06:21 - <Info> - Loading rule file: /etc/suricata/rules/drop.rules
4/7/2016 -- 16:06:21 - <Info> - Loading rule file: /etc/suricata/rules/dshield.rules
4/7/2016 -- 16:06:21 - <Info> - Loading rule file: /etc/suricata/rules/emerging-attack_response.rules
4/7/2016 -- 16:06:21 - <Info> - Loading rule file: /etc/suricata/rules/emerging-chat.rules
4/7/2016 -- 16:06:21 - <Info> - Loading rule file: /etc/suricata/rules/emerging-current_events.rules
4/7/2016 -- 16:06:22 - <Info> - Loading rule file: /etc/suricata/rules/emerging-dns.rules
4/7/2016 -- 16:06:22 - <Info> - Loading rule file: /etc/suricata/rules/emerging-dos.rules
4/7/2016 -- 16:06:22 - <Info> - Loading rule file: /etc/suricata/rules/emerging-exploit.rules
4/7/2016 -- 16:06:22 - <Info> - Loading rule file: /etc/suricata/rules/emerging-ftp.rules
4/7/2016 -- 16:06:22 - <Info> - Loading rule file: /etc/suricata/rules/emerging-imap.rules
4/7/2016 -- 16:06:22 - <Info> - Loading rule file: /etc/suricata/rules/emerging-malware.rules
4/7/2016 -- 16:06:22 - <Info> - Loading rule file: /etc/suricata/rules/emerging-misc.rules
4/7/2016 -- 16:06:22 - <Info> - Loading rule file: /etc/suricata/rules/emerging-mobile_malware.rules
4/7/2016 -- 16:06:22 - <Info> - Loading rule file: /etc/suricata/rules/emerging-netbios.rules
4/7/2016 -- 16:06:22 - <Info> - Loading rule file: /etc/suricata/rules/emerging-p2p.rules
4/7/2016 -- 16:06:22 - <Info> - Loading rule file: /etc/suricata/rules/emerging-policy.rules
4/7/2016 -- 16:06:22 - <Info> - Loading rule file: /etc/suricata/rules/emerging-pop3.rules
4/7/2016 -- 16:06:22 - <Info> - Loading rule file: /etc/suricata/rules/emerging-rpc.rules
4/7/2016 -- 16:06:22 - <Info> - Loading rule file: /etc/suricata/rules/emerging-scada.rules
4/7/2016 -- 16:06:22 - <Info> - Loading rule file: /etc/suricata/rules/emerging-scan.rules
4/7/2016 -- 16:06:22 - <Info> - Loading rule file: /etc/suricata/rules/emerging-smtp.rules
4/7/2016 -- 16:06:22 - <Info> - Loading rule file: /etc/suricata/rules/emerging-snmp.rules
4/7/2016 -- 16:06:22 - <Info> - Loading rule file: /etc/suricata/rules/emerging-sql.rules
4/7/2016 -- 16:06:22 - <Info> - Loading rule file: /etc/suricata/rules/emerging-telnet.rules
4/7/2016 -- 16:06:22 - <Info> - Loading rule file: /etc/suricata/rules/emerging-tftp.rules
4/7/2016 -- 16:06:22 - <Info> - Loading rule file: /etc/suricata/rules/emerging-trojan.rules
4/7/2016 -- 16:06:23 - <Info> - Loading rule file: /etc/suricata/rules/emerging-user_agents.rules
4/7/2016 -- 16:06:23 - <Info> - Loading rule file: /etc/suricata/rules/emerging-voip.rules
4/7/2016 -- 16:06:23 - <Info> - Loading rule file: /etc/suricata/rules/emerging-web_client.rules
4/7/2016 -- 16:06:24 - <Info> - Loading rule file: /etc/suricata/rules/emerging-web_server.rules
4/7/2016 -- 16:06:24 - <Info> - Loading rule file: /etc/suricata/rules/emerging-worm.rules
4/7/2016 -- 16:06:24 - <Info> - Loading rule file: /etc/suricata/rules/tor.rules
4/7/2016 -- 16:06:24 - <Info> - Loading rule file: /etc/suricata/rules/http-events.rules
4/7/2016 -- 16:06:24 - <Info> - Loading rule file: /etc/suricata/rules/smtp-events.rules
4/7/2016 -- 16:06:24 - <Info> - Loading rule file: /etc/suricata/rules/tls-events.rules
4/7/2016 -- 16:06:24 - <Info> - 38 rule files processed. 12426 rules successfully loaded, 0 rules failed
4/7/2016 -- 16:06:24 - <Info> - 12434 signatures processed. 1215 are IP-only rules, 5005 are inspecting packet payload, 7829 inspect application layer, 0 are decoder event only
4/7/2016 -- 16:06:25 - <Info> - Threshold config parsed: 0 rule(s) found
4/7/2016 -- 16:06:25 - <Info> - fast output device (regular) initialized: fast.log
4/7/2016 -- 16:06:25 - <Info> - eve-log output device (regular) initialized: eve.json
4/7/2016 -- 16:06:25 - <Info> - stats output device (regular) initialized: stats.log
4/7/2016 -- 16:06:25 - <Info> - Using 2 live device(s).
4/7/2016 -- 16:06:25 - <Info> - Using flow cluster mode for PF_RING (iface p4p1)
4/7/2016 -- 16:06:25 - <Info> - (RX#01-p4p1) Using PF_RING v.6.5.0, interface p4p1, cluster-id 99, single-pfring-thread
4/7/2016 -- 16:06:25 - <Info> - Using flow cluster mode for PF_RING (iface p4p2)
4/7/2016 -- 16:06:25 - <Info> - (RX#01-p4p2) Using PF_RING v.6.5.0, interface p4p2, cluster-id 93, single-pfring-thread
4/7/2016 -- 16:06:25 - <Info> - RunModeIdsPfringAutoFp initialised
4/7/2016 -- 16:06:25 - <Notice> - all 42 packet processing threads, 4 management threads initialized, engine started.
^C4/7/2016 -- 16:07:09 - <Notice> - Signal Received.  Stopping engine.
4/7/2016 -- 16:07:09 - <Info> - time elapsed 44.118s
4/7/2016 -- 16:07:09 - <Info> - (RX#01-p4p1) Kernel: Packets 18, dropped 0
4/7/2016 -- 16:07:09 - <Info> - (RX#01-p4p1) Packets 18, bytes 1080
4/7/2016 -- 16:07:09 - <Info> - (RX#01-p4p2) Kernel: Packets 0, dropped 0
4/7/2016 -- 16:07:09 - <Info> - (RX#01-p4p2) Packets 0, bytes 0
4/7/2016 -- 16:07:10 - <Info> - cleaning up signature grouping structure... complete
4/7/2016 -- 16:07:10 - <Notice> - Stats for 'p4p1':  pkts: 18, drop: 0 (0.00%), invalid chksum: 0
4/7/2016 -- 16:07:10 - <Notice> - Stats for 'p4p2':  pkts: 0, drop: 0 (-nan%), invalid chksum: 0

Please note that in the same testbed we are able to run Snort (+ PF_RING) with traffic going through p4p1 --> p4p2, so we suspect that there could be a problem with the integration of Suricata with PF_RING, or with Suricata itself.

Thanks in advance for any help you are kind enough to provide.

Best Regards,
Andrea
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160704/d17ed14a/attachment-0001.html>

More information about the Oisf-users mailing list