[Oisf-users] Suricata, traffic not passing (PF_RING)
Victor Julien
lists at inliniac.net
Mon Jul 4 15:29:34 UTC 2016
On 04-07-16 17:21, Romagnoli Andrea wrote:
> Hello everyone. We installed Suricata 3.1 (stable) with PF_RING 6.4.0 on
> a server with Ubuntu 14.04.1, and our aim is to try Suricata in inline
> IPS mode.
>
> On our server we have a management interface (p1p1), and two interfaces
> linked to IXIA Breaking Point (IN: p4p1, OUT: p4p2), configured as
> follow (cat /etc/network/interfaces):
>
>
>
> auto lo
>
> iface lo inet loopback
>
>
>
> # The primary network interface
>
> auto p1p1
>
> iface p1p1 inet static
>
> address XXX.XXX.XXX.XXX
>
> netmask 255.255.255.0
>
> network XXX.XXX.XXX.XXX
>
> gateway XXX.XXX.XXX.XXX
>
> dns-nameservers XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
>
> dns-namesearch YYYYYYYYY
>
>
>
> # TRAFFIC_IN
>
> auto p4p1
>
> iface p4p1 inet manual
>
> up ifconfig $IFACE 0.0.0.0 up
>
> up ip link set $IFACE promisc on
>
> post-up ethtool -K $IFACE gro off
>
> post-up ethtool -K $IFACE lro off
>
> down ip link set $IFACE promisc off
>
> down ifconfig $IFACE down
>
> mtu 1500
>
>
>
> # TRAFFIC_OUT
>
> auto p4p2
>
> iface p4p2 inet manual
>
> up ifconfig $IFACE 0.0.0.0 up
>
> up ip link set $IFACE promisc on
>
> post-up ethtool -K $IFACE gro off
>
> post-up ethtool -K $IFACE lro off
>
> down ip link set $IFACE promisc off
>
> down ifconfig $IFACE down
>
> mtu 1500
>
>
>
> We tried both with standard ixgbe and PF_RING ZC's ixgbe Intel drivers,
> but apparently something is going wrong.
>
> In fact Suricata starts without errors, but the traffic doesn't reach
> the p4p2 interface.
>
>
>
> $ sudo suricata -c /etc/suricata/suricata.yaml --pfring -v
>
> 4/7/2016 -- 16:06:21 - <Notice> - This is Suricata version 3.1 RELEASE
>
> 4/7/2016 -- 16:06:21 - <Info> - CPUs/cores online: 40
>
> 4/7/2016 -- 16:06:21 - <Info> - Found an MTU of 1500 for 'p4p1'
>
> 4/7/2016 -- 16:06:21 - <Info> - Found an MTU of 1500 for 'p4p2'
>
> 4/7/2016 -- 16:06:21 - <Info> - Loading rule file:
> /etc/suricata/rules/botcc.rules
>
> 4/7/2016 -- 16:06:21 - <Info> - Loading rule file:
> /etc/suricata/rules/ciarmy.rules
>
> 4/7/2016 -- 16:06:21 - <Info> - Loading rule file:
> /etc/suricata/rules/compromised.rules
>
> 4/7/2016 -- 16:06:21 - <Info> - Loading rule file:
> /etc/suricata/rules/drop.rules
>
> 4/7/2016 -- 16:06:21 - <Info> - Loading rule file:
> /etc/suricata/rules/dshield.rules
>
> 4/7/2016 -- 16:06:21 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-attack_response.rules
>
> 4/7/2016 -- 16:06:21 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-chat.rules
>
> 4/7/2016 -- 16:06:21 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-current_events.rules
>
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-dns.rules
>
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-dos.rules
>
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-exploit.rules
>
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-ftp.rules
>
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-imap.rules
>
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-malware.rules
>
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-misc.rules
>
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-mobile_malware.rules
>
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-netbios.rules
>
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-p2p.rules
>
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-policy.rules
>
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-pop3.rules
>
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-rpc.rules
>
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-scada.rules
>
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-scan.rules
>
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-smtp.rules
>
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-snmp.rules
>
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-sql.rules
>
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-telnet.rules
>
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-tftp.rules
>
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-trojan.rules
>
> 4/7/2016 -- 16:06:23 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-user_agents.rules
>
> 4/7/2016 -- 16:06:23 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-voip.rules
>
> 4/7/2016 -- 16:06:23 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-web_client.rules
>
> 4/7/2016 -- 16:06:24 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-web_server.rules
>
> 4/7/2016 -- 16:06:24 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-worm.rules
>
> 4/7/2016 -- 16:06:24 - <Info> - Loading rule file:
> /etc/suricata/rules/tor.rules
>
> 4/7/2016 -- 16:06:24 - <Info> - Loading rule file:
> /etc/suricata/rules/http-events.rules
>
> 4/7/2016 -- 16:06:24 - <Info> - Loading rule file:
> /etc/suricata/rules/smtp-events.rules
>
> 4/7/2016 -- 16:06:24 - <Info> - Loading rule file:
> /etc/suricata/rules/tls-events.rules
>
> 4/7/2016 -- 16:06:24 - <Info> - 38 rule files processed. 12426 rules
> successfully loaded, 0 rules failed
>
> 4/7/2016 -- 16:06:24 - <Info> - 12434 signatures processed. 1215 are
> IP-only rules, 5005 are inspecting packet payload, 7829 inspect
> application layer, 0 are decoder event only
>
> 4/7/2016 -- 16:06:25 - <Info> - Threshold config parsed: 0 rule(s) found
>
> 4/7/2016 -- 16:06:25 - <Info> - fast output device (regular)
> initialized: fast.log
>
> 4/7/2016 -- 16:06:25 - <Info> - eve-log output device (regular)
> initialized: eve.json
>
> 4/7/2016 -- 16:06:25 - <Info> - stats output device (regular)
> initialized: stats.log
>
> 4/7/2016 -- 16:06:25 - <Info> - Using 2 live device(s).
>
> 4/7/2016 -- 16:06:25 - <Info> - Using flow cluster mode for PF_RING
> (iface p4p1)
>
> 4/7/2016 -- 16:06:25 - <Info> - (RX#01-p4p1) Using PF_RING v.6.5.0,
> interface p4p1, cluster-id 99, single-pfring-thread
>
> 4/7/2016 -- 16:06:25 - <Info> - Using flow cluster mode for PF_RING
> (iface p4p2)
>
> 4/7/2016 -- 16:06:25 - <Info> - (RX#01-p4p2) Using PF_RING v.6.5.0,
> interface p4p2, cluster-id 93, single-pfring-thread
>
> 4/7/2016 -- 16:06:25 - <Info> - RunModeIdsPfringAutoFp initialised
>
> 4/7/2016 -- 16:06:25 - <Notice> - all 42 packet processing threads, 4
> management threads initialized, engine started.
>
> ^C4/7/2016 -- 16:07:09 - <Notice> - Signal Received. Stopping engine.
>
> 4/7/2016 -- 16:07:09 - <Info> - time elapsed 44.118s
>
> 4/7/2016 -- 16:07:09 - <Info> - (RX#01-p4p1) Kernel: Packets 18, dropped 0
>
> 4/7/2016 -- 16:07:09 - <Info> - (RX#01-p4p1) Packets 18, bytes 1080
>
> 4/7/2016 -- 16:07:09 - <Info> - (RX#01-p4p2) Kernel: Packets 0, dropped 0
>
> 4/7/2016 -- 16:07:09 - <Info> - (RX#01-p4p2) Packets 0, bytes 0
>
> 4/7/2016 -- 16:07:10 - <Info> - cleaning up signature grouping
> structure... complete
>
> 4/7/2016 -- 16:07:10 - <Notice> - Stats for 'p4p1': pkts: 18, drop: 0
> (0.00%), invalid chksum: 0
>
> 4/7/2016 -- 16:07:10 - <Notice> - Stats for 'p4p2': pkts: 0, drop: 0
> (-nan%), invalid chksum: 0
>
>
>
> Please note that in the same testbed we are able to run Snort (+
> PF_RING) with traffic going through p4p1 --> p4p2, so we suspect that
> there could be a problem with the integration of Suricata with PF_RING,
> or with Suricata itself.
>
PF_RING based IPS is not yet supported. See
https://redmine.openinfosecfoundation.org/issues/1726
You can used AF_PACKET, NETMAP or NFQ on linux.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list