[Oisf-users] Suricata, traffic not passing (PF_RING)

Victor Julien lists at inliniac.net
Mon Jul 4 15:29:34 UTC 2016 

On 04-07-16 17:21, Romagnoli Andrea wrote:
> Hello everyone. We installed Suricata 3.1 (stable) with PF_RING 6.4.0 on
> a server with Ubuntu 14.04.1, and our aim is to try Suricata in inline
> IPS mode.
> 
> On our server we have a management interface (p1p1), and two interfaces
> linked to IXIA Breaking Point (IN: p4p1, OUT: p4p2), configured as
> follow (cat /etc/network/interfaces):
> 
>  
> 
> auto lo
> 
> iface lo inet loopback
> 
>  
> 
> # The primary network interface
> 
> auto p1p1
> 
> iface p1p1 inet static
> 
> address XXX.XXX.XXX.XXX
> 
> netmask 255.255.255.0
> 
> network XXX.XXX.XXX.XXX
> 
> gateway XXX.XXX.XXX.XXX
> 
> dns-nameservers XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
> 
> dns-namesearch YYYYYYYYY
> 
>  
> 
> # TRAFFIC_IN
> 
> auto p4p1
> 
> iface p4p1 inet manual
> 
>     up ifconfig $IFACE 0.0.0.0 up
> 
>     up ip link set $IFACE promisc on
> 
>     post-up ethtool -K $IFACE gro off
> 
>     post-up ethtool -K $IFACE lro off
> 
>     down ip link set $IFACE promisc off
> 
>     down ifconfig $IFACE down
> 
>     mtu 1500
> 
>  
> 
> # TRAFFIC_OUT
> 
> auto p4p2
> 
> iface p4p2 inet manual
> 
>     up ifconfig $IFACE 0.0.0.0 up
> 
>     up ip link set $IFACE promisc on
> 
>     post-up ethtool -K $IFACE gro off
> 
>     post-up ethtool -K $IFACE lro off
> 
>     down ip link set $IFACE promisc off
> 
>     down ifconfig $IFACE down
> 
>     mtu 1500
> 
>  
> 
> We tried both with standard ixgbe and PF_RING ZC's ixgbe Intel drivers,
> but apparently something is going wrong.
> 
> In fact Suricata starts without errors, but the traffic doesn't reach
> the p4p2 interface.
> 
>  
> 
> $ sudo suricata -c /etc/suricata/suricata.yaml --pfring -v
> 
> 4/7/2016 -- 16:06:21 - <Notice> - This is Suricata version 3.1 RELEASE
> 
> 4/7/2016 -- 16:06:21 - <Info> - CPUs/cores online: 40
> 
> 4/7/2016 -- 16:06:21 - <Info> - Found an MTU of 1500 for 'p4p1'
> 
> 4/7/2016 -- 16:06:21 - <Info> - Found an MTU of 1500 for 'p4p2'
> 
> 4/7/2016 -- 16:06:21 - <Info> - Loading rule file:
> /etc/suricata/rules/botcc.rules
> 
> 4/7/2016 -- 16:06:21 - <Info> - Loading rule file:
> /etc/suricata/rules/ciarmy.rules
> 
> 4/7/2016 -- 16:06:21 - <Info> - Loading rule file:
> /etc/suricata/rules/compromised.rules
> 
> 4/7/2016 -- 16:06:21 - <Info> - Loading rule file:
> /etc/suricata/rules/drop.rules
> 
> 4/7/2016 -- 16:06:21 - <Info> - Loading rule file:
> /etc/suricata/rules/dshield.rules
> 
> 4/7/2016 -- 16:06:21 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-attack_response.rules
> 
> 4/7/2016 -- 16:06:21 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-chat.rules
> 
> 4/7/2016 -- 16:06:21 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-current_events.rules
> 
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-dns.rules
> 
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-dos.rules
> 
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-exploit.rules
> 
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-ftp.rules
> 
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-imap.rules
> 
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-malware.rules
> 
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-misc.rules
> 
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-mobile_malware.rules
> 
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-netbios.rules
> 
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-p2p.rules
> 
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-policy.rules
> 
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-pop3.rules
> 
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-rpc.rules
> 
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-scada.rules
> 
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-scan.rules
> 
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-smtp.rules
> 
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-snmp.rules
> 
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-sql.rules
> 
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-telnet.rules
> 
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-tftp.rules
> 
> 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-trojan.rules
> 
> 4/7/2016 -- 16:06:23 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-user_agents.rules
> 
> 4/7/2016 -- 16:06:23 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-voip.rules
> 
> 4/7/2016 -- 16:06:23 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-web_client.rules
> 
> 4/7/2016 -- 16:06:24 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-web_server.rules
> 
> 4/7/2016 -- 16:06:24 - <Info> - Loading rule file:
> /etc/suricata/rules/emerging-worm.rules
> 
> 4/7/2016 -- 16:06:24 - <Info> - Loading rule file:
> /etc/suricata/rules/tor.rules
> 
> 4/7/2016 -- 16:06:24 - <Info> - Loading rule file:
> /etc/suricata/rules/http-events.rules
> 
> 4/7/2016 -- 16:06:24 - <Info> - Loading rule file:
> /etc/suricata/rules/smtp-events.rules
> 
> 4/7/2016 -- 16:06:24 - <Info> - Loading rule file:
> /etc/suricata/rules/tls-events.rules
> 
> 4/7/2016 -- 16:06:24 - <Info> - 38 rule files processed. 12426 rules
> successfully loaded, 0 rules failed
> 
> 4/7/2016 -- 16:06:24 - <Info> - 12434 signatures processed. 1215 are
> IP-only rules, 5005 are inspecting packet payload, 7829 inspect
> application layer, 0 are decoder event only
> 
> 4/7/2016 -- 16:06:25 - <Info> - Threshold config parsed: 0 rule(s) found
> 
> 4/7/2016 -- 16:06:25 - <Info> - fast output device (regular)
> initialized: fast.log
> 
> 4/7/2016 -- 16:06:25 - <Info> - eve-log output device (regular)
> initialized: eve.json
> 
> 4/7/2016 -- 16:06:25 - <Info> - stats output device (regular)
> initialized: stats.log
> 
> 4/7/2016 -- 16:06:25 - <Info> - Using 2 live device(s).
> 
> 4/7/2016 -- 16:06:25 - <Info> - Using flow cluster mode for PF_RING
> (iface p4p1)
> 
> 4/7/2016 -- 16:06:25 - <Info> - (RX#01-p4p1) Using PF_RING v.6.5.0,
> interface p4p1, cluster-id 99, single-pfring-thread
> 
> 4/7/2016 -- 16:06:25 - <Info> - Using flow cluster mode for PF_RING
> (iface p4p2)
> 
> 4/7/2016 -- 16:06:25 - <Info> - (RX#01-p4p2) Using PF_RING v.6.5.0,
> interface p4p2, cluster-id 93, single-pfring-thread
> 
> 4/7/2016 -- 16:06:25 - <Info> - RunModeIdsPfringAutoFp initialised
> 
> 4/7/2016 -- 16:06:25 - <Notice> - all 42 packet processing threads, 4
> management threads initialized, engine started.
> 
> ^C4/7/2016 -- 16:07:09 - <Notice> - Signal Received.  Stopping engine.
> 
> 4/7/2016 -- 16:07:09 - <Info> - time elapsed 44.118s
> 
> 4/7/2016 -- 16:07:09 - <Info> - (RX#01-p4p1) Kernel: Packets 18, dropped 0
> 
> 4/7/2016 -- 16:07:09 - <Info> - (RX#01-p4p1) Packets 18, bytes 1080
> 
> 4/7/2016 -- 16:07:09 - <Info> - (RX#01-p4p2) Kernel: Packets 0, dropped 0
> 
> 4/7/2016 -- 16:07:09 - <Info> - (RX#01-p4p2) Packets 0, bytes 0
> 
> 4/7/2016 -- 16:07:10 - <Info> - cleaning up signature grouping
> structure... complete
> 
> 4/7/2016 -- 16:07:10 - <Notice> - Stats for 'p4p1':  pkts: 18, drop: 0
> (0.00%), invalid chksum: 0
> 
> 4/7/2016 -- 16:07:10 - <Notice> - Stats for 'p4p2':  pkts: 0, drop: 0
> (-nan%), invalid chksum: 0
> 
>  
> 
> Please note that in the same testbed we are able to run Snort (+
> PF_RING) with traffic going through p4p1 --> p4p2, so we suspect that
> there could be a problem with the integration of Suricata with PF_RING,
> or with Suricata itself.
> 

PF_RING based IPS is not yet supported. See
https://redmine.openinfosecfoundation.org/issues/1726

You can used AF_PACKET, NETMAP or NFQ on linux.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list