[Oisf-users] Suricata, traffic not passing (PF_RING)
Marcus Eagan
marcuseagan at gmail.com
Mon Jul 4 21:54:54 UTC 2016
Slightly less than two cents:
+1 AF_Packet - if speed is a priority and you want to be on the cutting
edge of the Suricata experience.
+1 Netmap - if you intend to do quite a bit of customizations and a little
legwork to get it running.
+1 NFQ - if you want something you probably already understand, have worked
with, and boasts the most clear documentation.
On Mon, Jul 4, 2016 at 11:29 AM, Victor Julien <lists at inliniac.net> wrote:
> On 04-07-16 17:21, Romagnoli Andrea wrote:
> > Hello everyone. We installed Suricata 3.1 (stable) with PF_RING 6.4.0 on
> > a server with Ubuntu 14.04.1, and our aim is to try Suricata in inline
> > IPS mode.
> >
> > On our server we have a management interface (p1p1), and two interfaces
> > linked to IXIA Breaking Point (IN: p4p1, OUT: p4p2), configured as
> > follow (cat /etc/network/interfaces):
> >
> >
> >
> > auto lo
> >
> > iface lo inet loopback
> >
> >
> >
> > # The primary network interface
> >
> > auto p1p1
> >
> > iface p1p1 inet static
> >
> > address XXX.XXX.XXX.XXX
> >
> > netmask 255.255.255.0
> >
> > network XXX.XXX.XXX.XXX
> >
> > gateway XXX.XXX.XXX.XXX
> >
> > dns-nameservers XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
> >
> > dns-namesearch YYYYYYYYY
> >
> >
> >
> > # TRAFFIC_IN
> >
> > auto p4p1
> >
> > iface p4p1 inet manual
> >
> > up ifconfig $IFACE 0.0.0.0 up
> >
> > up ip link set $IFACE promisc on
> >
> > post-up ethtool -K $IFACE gro off
> >
> > post-up ethtool -K $IFACE lro off
> >
> > down ip link set $IFACE promisc off
> >
> > down ifconfig $IFACE down
> >
> > mtu 1500
> >
> >
> >
> > # TRAFFIC_OUT
> >
> > auto p4p2
> >
> > iface p4p2 inet manual
> >
> > up ifconfig $IFACE 0.0.0.0 up
> >
> > up ip link set $IFACE promisc on
> >
> > post-up ethtool -K $IFACE gro off
> >
> > post-up ethtool -K $IFACE lro off
> >
> > down ip link set $IFACE promisc off
> >
> > down ifconfig $IFACE down
> >
> > mtu 1500
> >
> >
> >
> > We tried both with standard ixgbe and PF_RING ZC's ixgbe Intel drivers,
> > but apparently something is going wrong.
> >
> > In fact Suricata starts without errors, but the traffic doesn't reach
> > the p4p2 interface.
> >
> >
> >
> > $ sudo suricata -c /etc/suricata/suricata.yaml --pfring -v
> >
> > 4/7/2016 -- 16:06:21 - <Notice> - This is Suricata version 3.1 RELEASE
> >
> > 4/7/2016 -- 16:06:21 - <Info> - CPUs/cores online: 40
> >
> > 4/7/2016 -- 16:06:21 - <Info> - Found an MTU of 1500 for 'p4p1'
> >
> > 4/7/2016 -- 16:06:21 - <Info> - Found an MTU of 1500 for 'p4p2'
> >
> > 4/7/2016 -- 16:06:21 - <Info> - Loading rule file:
> > /etc/suricata/rules/botcc.rules
> >
> > 4/7/2016 -- 16:06:21 - <Info> - Loading rule file:
> > /etc/suricata/rules/ciarmy.rules
> >
> > 4/7/2016 -- 16:06:21 - <Info> - Loading rule file:
> > /etc/suricata/rules/compromised.rules
> >
> > 4/7/2016 -- 16:06:21 - <Info> - Loading rule file:
> > /etc/suricata/rules/drop.rules
> >
> > 4/7/2016 -- 16:06:21 - <Info> - Loading rule file:
> > /etc/suricata/rules/dshield.rules
> >
> > 4/7/2016 -- 16:06:21 - <Info> - Loading rule file:
> > /etc/suricata/rules/emerging-attack_response.rules
> >
> > 4/7/2016 -- 16:06:21 - <Info> - Loading rule file:
> > /etc/suricata/rules/emerging-chat.rules
> >
> > 4/7/2016 -- 16:06:21 - <Info> - Loading rule file:
> > /etc/suricata/rules/emerging-current_events.rules
> >
> > 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> > /etc/suricata/rules/emerging-dns.rules
> >
> > 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> > /etc/suricata/rules/emerging-dos.rules
> >
> > 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> > /etc/suricata/rules/emerging-exploit.rules
> >
> > 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> > /etc/suricata/rules/emerging-ftp.rules
> >
> > 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> > /etc/suricata/rules/emerging-imap.rules
> >
> > 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> > /etc/suricata/rules/emerging-malware.rules
> >
> > 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> > /etc/suricata/rules/emerging-misc.rules
> >
> > 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> > /etc/suricata/rules/emerging-mobile_malware.rules
> >
> > 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> > /etc/suricata/rules/emerging-netbios.rules
> >
> > 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> > /etc/suricata/rules/emerging-p2p.rules
> >
> > 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> > /etc/suricata/rules/emerging-policy.rules
> >
> > 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> > /etc/suricata/rules/emerging-pop3.rules
> >
> > 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> > /etc/suricata/rules/emerging-rpc.rules
> >
> > 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> > /etc/suricata/rules/emerging-scada.rules
> >
> > 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> > /etc/suricata/rules/emerging-scan.rules
> >
> > 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> > /etc/suricata/rules/emerging-smtp.rules
> >
> > 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> > /etc/suricata/rules/emerging-snmp.rules
> >
> > 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> > /etc/suricata/rules/emerging-sql.rules
> >
> > 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> > /etc/suricata/rules/emerging-telnet.rules
> >
> > 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> > /etc/suricata/rules/emerging-tftp.rules
> >
> > 4/7/2016 -- 16:06:22 - <Info> - Loading rule file:
> > /etc/suricata/rules/emerging-trojan.rules
> >
> > 4/7/2016 -- 16:06:23 - <Info> - Loading rule file:
> > /etc/suricata/rules/emerging-user_agents.rules
> >
> > 4/7/2016 -- 16:06:23 - <Info> - Loading rule file:
> > /etc/suricata/rules/emerging-voip.rules
> >
> > 4/7/2016 -- 16:06:23 - <Info> - Loading rule file:
> > /etc/suricata/rules/emerging-web_client.rules
> >
> > 4/7/2016 -- 16:06:24 - <Info> - Loading rule file:
> > /etc/suricata/rules/emerging-web_server.rules
> >
> > 4/7/2016 -- 16:06:24 - <Info> - Loading rule file:
> > /etc/suricata/rules/emerging-worm.rules
> >
> > 4/7/2016 -- 16:06:24 - <Info> - Loading rule file:
> > /etc/suricata/rules/tor.rules
> >
> > 4/7/2016 -- 16:06:24 - <Info> - Loading rule file:
> > /etc/suricata/rules/http-events.rules
> >
> > 4/7/2016 -- 16:06:24 - <Info> - Loading rule file:
> > /etc/suricata/rules/smtp-events.rules
> >
> > 4/7/2016 -- 16:06:24 - <Info> - Loading rule file:
> > /etc/suricata/rules/tls-events.rules
> >
> > 4/7/2016 -- 16:06:24 - <Info> - 38 rule files processed. 12426 rules
> > successfully loaded, 0 rules failed
> >
> > 4/7/2016 -- 16:06:24 - <Info> - 12434 signatures processed. 1215 are
> > IP-only rules, 5005 are inspecting packet payload, 7829 inspect
> > application layer, 0 are decoder event only
> >
> > 4/7/2016 -- 16:06:25 - <Info> - Threshold config parsed: 0 rule(s) found
> >
> > 4/7/2016 -- 16:06:25 - <Info> - fast output device (regular)
> > initialized: fast.log
> >
> > 4/7/2016 -- 16:06:25 - <Info> - eve-log output device (regular)
> > initialized: eve.json
> >
> > 4/7/2016 -- 16:06:25 - <Info> - stats output device (regular)
> > initialized: stats.log
> >
> > 4/7/2016 -- 16:06:25 - <Info> - Using 2 live device(s).
> >
> > 4/7/2016 -- 16:06:25 - <Info> - Using flow cluster mode for PF_RING
> > (iface p4p1)
> >
> > 4/7/2016 -- 16:06:25 - <Info> - (RX#01-p4p1) Using PF_RING v.6.5.0,
> > interface p4p1, cluster-id 99, single-pfring-thread
> >
> > 4/7/2016 -- 16:06:25 - <Info> - Using flow cluster mode for PF_RING
> > (iface p4p2)
> >
> > 4/7/2016 -- 16:06:25 - <Info> - (RX#01-p4p2) Using PF_RING v.6.5.0,
> > interface p4p2, cluster-id 93, single-pfring-thread
> >
> > 4/7/2016 -- 16:06:25 - <Info> - RunModeIdsPfringAutoFp initialised
> >
> > 4/7/2016 -- 16:06:25 - <Notice> - all 42 packet processing threads, 4
> > management threads initialized, engine started.
> >
> > ^C4/7/2016 -- 16:07:09 - <Notice> - Signal Received. Stopping engine.
> >
> > 4/7/2016 -- 16:07:09 - <Info> - time elapsed 44.118s
> >
> > 4/7/2016 -- 16:07:09 - <Info> - (RX#01-p4p1) Kernel: Packets 18, dropped
> 0
> >
> > 4/7/2016 -- 16:07:09 - <Info> - (RX#01-p4p1) Packets 18, bytes 1080
> >
> > 4/7/2016 -- 16:07:09 - <Info> - (RX#01-p4p2) Kernel: Packets 0, dropped 0
> >
> > 4/7/2016 -- 16:07:09 - <Info> - (RX#01-p4p2) Packets 0, bytes 0
> >
> > 4/7/2016 -- 16:07:10 - <Info> - cleaning up signature grouping
> > structure... complete
> >
> > 4/7/2016 -- 16:07:10 - <Notice> - Stats for 'p4p1': pkts: 18, drop: 0
> > (0.00%), invalid chksum: 0
> >
> > 4/7/2016 -- 16:07:10 - <Notice> - Stats for 'p4p2': pkts: 0, drop: 0
> > (-nan%), invalid chksum: 0
> >
> >
> >
> > Please note that in the same testbed we are able to run Snort (+
> > PF_RING) with traffic going through p4p1 --> p4p2, so we suspect that
> > there could be a problem with the integration of Suricata with PF_RING,
> > or with Suricata itself.
> >
>
> PF_RING based IPS is not yet supported. See
> https://redmine.openinfosecfoundation.org/issues/1726
>
> You can used AF_PACKET, NETMAP or NFQ on linux.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net
--
Marcus Eagan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160704/959bd009/attachment-0002.html>
More information about the Oisf-users
mailing list