[Oisf-users] traffic doesn't forward suricata and netmap.
Fatih USTA
fatihusta86 at gmail.com
Mon Jan 15 16:02:41 UTC 2018
I added "-vvv" parameters. The log is below .
I found a problem, but how can I fix, I don't know.
Problem is arp. I can't see arp request on "tcpdump" or "ip monitor all"
while running suricata.
*Client Arp Table*
? (10.1.8.1) at <incomplete> on eth8
suricata -c /etc/suricata/suricata.yaml --netmap -vvv
15/1/2018 -- 18:44:49 - <Notice> - This is Suricata version 4.0.3 RELEASE
15/1/2018 -- 18:44:49 - <Info> - CPUs/cores online: 12
15/1/2018 -- 18:44:49 - <Config> - Adding interface ens15f0 from config file
15/1/2018 -- 18:44:49 - <Config> - Adding interface ens15f1 from config file
15/1/2018 -- 18:44:49 - <Info> - Netmap: Setting IPS mode
15/1/2018 -- 18:44:49 - <Config> - 'default' server has
'request-body-minimal-inspect-size' set to 31926 and
'request-body-inspect-window' set to 3968 after randomization.
15/1/2018 -- 18:44:49 - <Config> - 'default' server has
'response-body-minimal-inspect-size' set to 39564 and
'response-body-inspect-window' set to 15737 after randomization.
15/1/2018 -- 18:44:49 - <Config> - DNS request flood protection level: 500
15/1/2018 -- 18:44:49 - <Config> - DNS per flow memcap (state-memcap):
524288
15/1/2018 -- 18:44:49 - <Config> - DNS global memcap: 16777216
15/1/2018 -- 18:44:49 - <Config> - Protocol detection and parser
disabled for modbus protocol.
15/1/2018 -- 18:44:49 - <Config> - Protocol detection and parser
disabled for enip protocol.
15/1/2018 -- 18:44:49 - <Config> - Protocol detection and parser
disabled for DNP3.
15/1/2018 -- 18:44:49 - <Info> - Found an MTU of 9000 for 'ens15f0'
15/1/2018 -- 18:44:49 - <Info> - Found an MTU of 9000 for 'ens15f0'
15/1/2018 -- 18:44:49 - <Info> - Found an MTU of 9000 for 'ens15f1'
15/1/2018 -- 18:44:49 - <Info> - Found an MTU of 9000 for 'ens15f1'
15/1/2018 -- 18:44:49 - <Config> - allocated 262144 bytes of memory for
the host hash... 4096 buckets of size 64
15/1/2018 -- 18:44:49 - <Config> - preallocated 1000 hosts of size 136
15/1/2018 -- 18:44:49 - <Config> - host memory usage: 398144 bytes,
maximum: 33554432
15/1/2018 -- 18:44:49 - <Config> - Core dump size set to unlimited.
15/1/2018 -- 18:44:49 - <Config> - allocated 3670016 bytes of memory for
the defrag hash... 65536 buckets of size 56
15/1/2018 -- 18:44:49 - <Config> - preallocated 65535 defrag trackers of
size 168
15/1/2018 -- 18:44:49 - <Config> - defrag memory usage: 14679896 bytes,
maximum: 33554432
15/1/2018 -- 18:44:49 - <Config> - stream "prealloc-sessions": 2048 (per
thread)
15/1/2018 -- 18:44:49 - <Config> - stream "memcap": 67108864
15/1/2018 -- 18:44:49 - <Config> - stream "midstream" session pickups:
disabled
15/1/2018 -- 18:44:49 - <Config> - stream "async-oneside": disabled
15/1/2018 -- 18:44:49 - <Config> - stream "checksum-validation": enabled
15/1/2018 -- 18:44:49 - <Config> - stream."inline": enabled
15/1/2018 -- 18:44:49 - <Config> - stream "bypass": disabled
15/1/2018 -- 18:44:49 - <Config> - stream "max-synack-queued": 5
15/1/2018 -- 18:44:49 - <Config> - stream.reassembly "memcap": 268435456
15/1/2018 -- 18:44:49 - <Config> - stream.reassembly "depth": 1048576
15/1/2018 -- 18:44:49 - <Config> - stream.reassembly
"toserver-chunk-size": 2469
15/1/2018 -- 18:44:49 - <Config> - stream.reassembly
"toclient-chunk-size": 2572
15/1/2018 -- 18:44:49 - <Config> - stream.reassembly.raw: enabled
15/1/2018 -- 18:44:49 - <Config> - stream.reassembly "segment-prealloc":
2048
15/1/2018 -- 18:44:49 - <Config> - Delayed detect disabled
15/1/2018 -- 18:44:49 - <Info> - Running in live mode, activating unix
socket
15/1/2018 -- 18:44:49 - <Config> - pattern matchers: MPM: ac, SPM: bm
15/1/2018 -- 18:44:49 - <Config> - grouping: tcp-whitelist (default) 53,
80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
15/1/2018 -- 18:44:49 - <Config> - grouping: udp-whitelist (default) 53,
135, 5060
15/1/2018 -- 18:44:49 - <Config> - prefilter engines: MPM
15/1/2018 -- 18:44:49 - <Config> - IP reputation disabled
15/1/2018 -- 18:44:49 - <Config> - Loading rule file:
/var/lib/suricata/rules/suricata.rules
15/1/2018 -- 18:44:56 - <Info> - 1 rule files processed. 18586 rules
successfully loaded, 0 rules failed
15/1/2018 -- 18:44:56 - <Info> - Threshold config parsed: 0 rule(s) found
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for tcp-packet
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for tcp-stream
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for udp-packet
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for other-ip
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_uri
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_request_line
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_client_body
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
http_response_line
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_header
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_header
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_header_names
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_header_names
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_accept
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_accept_enc
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_accept_lang
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_referer
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_connection
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_content_len
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_content_len
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_content_type
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_content_type
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_protocol
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_protocol
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_start
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_start
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_raw_header
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_raw_header
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_method
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_cookie
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_cookie
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_raw_uri
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_user_agent
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_host
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_raw_host
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_stat_msg
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_stat_code
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for dns_query
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for tls_sni
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for tls_cert_issuer
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for tls_cert_subject
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for tls_cert_serial
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for dce_stub_data
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for dce_stub_data
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for ssh_protocol
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for ssh_protocol
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for ssh_software
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for ssh_software
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for file_data
15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for file_data
15/1/2018 -- 18:44:56 - <Info> - 18591 signatures processed. 1144 are
IP-only rules, 6288 are inspecting packet payload, 13278 inspect
application layer, 0 are decoder event only
15/1/2018 -- 18:44:56 - <Config> - building signature grouping
structure, stage 1: preprocessing rules... complete
15/1/2018 -- 18:44:56 - <Perf> - TCP toserver: 41 port groups, 32 unique
SGH's, 9 copies
15/1/2018 -- 18:44:56 - <Perf> - TCP toclient: 21 port groups, 21 unique
SGH's, 0 copies
15/1/2018 -- 18:44:56 - <Perf> - UDP toserver: 41 port groups, 32 unique
SGH's, 9 copies
15/1/2018 -- 18:44:56 - <Perf> - UDP toclient: 21 port groups, 15 unique
SGH's, 6 copies
15/1/2018 -- 18:44:56 - <Perf> - OTHER toserver: 254 proto groups, 3
unique SGH's, 251 copies
15/1/2018 -- 18:44:56 - <Perf> - OTHER toclient: 254 proto groups, 0
unique SGH's, 254 copies
15/1/2018 -- 18:44:57 - <Perf> - Unique rule groups: 103
15/1/2018 -- 18:44:57 - <Perf> - Builtin MPM "toserver TCP packet": 21
15/1/2018 -- 18:44:57 - <Perf> - Builtin MPM "toclient TCP packet": 20
15/1/2018 -- 18:44:57 - <Perf> - Builtin MPM "toserver TCP stream": 20
15/1/2018 -- 18:44:57 - <Perf> - Builtin MPM "toclient TCP stream": 21
15/1/2018 -- 18:44:57 - <Perf> - Builtin MPM "toserver UDP packet": 32
15/1/2018 -- 18:44:57 - <Perf> - Builtin MPM "toclient UDP packet": 14
15/1/2018 -- 18:44:57 - <Perf> - Builtin MPM "other IP packet": 2
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver http_uri": 6
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
http_request_line": 1
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver http_client_body": 5
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient
http_response_line": 1
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver http_header": 6
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient http_header": 3
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
http_header_names": 1
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver http_accept": 1
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver http_referer": 1
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver http_content_len": 1
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
http_content_type": 1
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient
http_content_type": 1
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver http_start": 1
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver http_method": 3
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver http_cookie": 1
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient http_cookie": 2
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver http_user_agent": 4
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver http_host": 2
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient http_stat_code": 1
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver dns_query": 4
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver tls_sni": 2
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 1
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver file_data": 1
15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient file_data": 5
15/1/2018 -- 18:44:57 - <Info> - fast output device (regular)
initialized: fast.log
15/1/2018 -- 18:44:57 - <Info> - eve-log output device (regular)
initialized: eve.json
15/1/2018 -- 18:44:57 - <Config> - enabling 'eve-log' module 'alert'
15/1/2018 -- 18:44:57 - <Config> - enabling 'eve-log' module 'http'
15/1/2018 -- 18:44:57 - <Config> - enabling 'eve-log' module 'dns'
15/1/2018 -- 18:44:57 - <Config> - enabling 'eve-log' module 'tls'
15/1/2018 -- 18:44:57 - <Config> - enabling 'eve-log' module 'files'
15/1/2018 -- 18:44:57 - <Config> - enabling 'eve-log' module 'smtp'
15/1/2018 -- 18:44:57 - <Config> - enabling 'eve-log' module 'ssh'
15/1/2018 -- 18:44:57 - <Config> - enabling 'eve-log' module 'stats'
15/1/2018 -- 18:44:57 - <Config> - enabling 'eve-log' module 'flow'
15/1/2018 -- 18:44:57 - <Info> - stats output device (regular)
initialized: stats.log
15/1/2018 -- 18:44:57 - <Info> - Found 1 RX RSS queues for 'ens15f0'
15/1/2018 -- 18:44:57 - <Info> - Found 1 RX RSS queues for 'ens15f1'
15/1/2018 -- 18:44:57 - <Perf> - Using 1 threads for interface ens15f0
15/1/2018 -- 18:44:57 - <Info> - Going to use 1 thread(s)
15/1/2018 -- 18:44:58 - <Perf> - Enabling zero copy mode for
ens15f0->ens15f1
15/1/2018 -- 18:44:58 - <Info> - Found 1 RX RSS queues for 'ens15f1'
15/1/2018 -- 18:44:58 - <Info> - Found 1 RX RSS queues for 'ens15f0'
15/1/2018 -- 18:44:58 - <Perf> - Using 1 threads for interface ens15f1
15/1/2018 -- 18:44:58 - <Info> - Going to use 1 thread(s)
15/1/2018 -- 18:44:58 - <Perf> - Enabling zero copy mode for
ens15f1->ens15f0
15/1/2018 -- 18:44:58 - <Config> - using 1 flow manager threads
15/1/2018 -- 18:44:58 - <Config> - using 1 flow recycler threads
15/1/2018 -- 18:44:58 - <Info> - Running in live mode, activating unix
socket
15/1/2018 -- 18:44:58 - <Info> - Using unix socket file
'/var/run/suricata/suricata-command.socket'
15/1/2018 -- 18:44:58 - <Notice> - all 2 packet processing threads, 4
management threads initialized, engine started.
Fatih USTA
On 15-01-2018 17:07, Fatih USTA wrote:
>
> Hi
>
> I'm working on suricata with netmap.
>
> I builded suricata 4.0.3 with netmap on centos 7(kernel 3.10.xx).
>
> I disabled rx/tx and lro/gro
>
> ethtool -K ens15f0 lro off gro off
> ethtool -K ens15f1 lro off gro off
>
> ethtool -A ens15f0 rx off tx off
> ethtool -A ens15f1 rx off tx off
>
> Traffic does not forward when I start suricata.
>
> From 10.1.8.2 icmp_seq=18 Destination Host Unreachable
> From 10.1.8.2 icmp_seq=19 Destination Host Unreachable
>
> Any idea? Thank you for your help.
>
> *my suricata config*
>
> netmap:
> - inteface: default
>
> - interface: ens15f0
> copy-iface: ens15f1
> copy-mode: ips
> disable-promisc: no
> checksum-checks: auto
> threads: auto
>
> - interface: ens15f1
> copy-iface: ens15f0
> copy-mode: ips
> disable-promisc: no
> checksum-checks: auto
> threads: auto
>
> *Kenel Modules*
>
> [root at centos7 ~]# lsmod | grep netmap
> netmap 154288 2 igb,ixgbe
>
> *Build INFO*
> [root at centos7 ~]# suricata --build-info
> This is Suricata version 4.0.3 RELEASE
> Features: NFQ PCAP_SET_BUFF AF_PACKET NETMAP HAVE_PACKET_FANOUT
> LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS
> HAVE_LUA HAVE_LIBJANSSON TLS MAGIC
> SIMD support: none
> Atomic intrisics: 1 2 4 8 byte(s)
> 64-bits, Little-endian architecture
> GCC version 4.8.5 20150623 (Red Hat 4.8.5-16), C version 199901
> compiled with _FORTIFY_SOURCE=2
> L1 cache line size (CLS)=64
> thread local storage method: __thread
> compiled with LibHTP v0.5.25, linked against LibHTP v0.5.25
>
> Suricata Configuration:
> AF_PACKET support: yes
> PF_RING support: no
> NFQueue support: yes
> NFLOG support: yes
> IPFW support: no
> Netmap support: yes
> DAG enabled: no
> Napatech enabled: no
>
> Unix socket enabled: yes
> Detection enabled: yes
>
> Libmagic support: yes
> libnss support: yes
> libnspr support: yes
> libjansson support: yes
> hiredis support: yes
> hiredis async with libevent: yes
> Prelude support: yes
> PCRE jit: yes
> LUA support: yes
> libluajit: no
> libgeoip: yes
> Non-bundled htp: no
> Old barnyard2 support: no
> CUDA enabled: no
> Hyperscan support: no
> Libnet support: yes
>
> Rust support (experimental): no
> Experimental Rust parsers: no
> Rust strict mode: no
>
> Suricatasc install: yes
>
> Profiling enabled: no
> Profiling locks enabled: no
>
> Development settings:
> Coccinelle / spatch: no
> Unit tests enabled: no
> Debug output enabled: no
> Debug validation enabled: no
>
> Generic build parameters:
> Installation prefix: /usr
> Configuration directory: /etc/suricata/
> Log directory: /var/log/suricata/
>
> --prefix /usr
> --sysconfdir /etc
> --localstatedir /var
>
> Host: x86_64-redhat-linux-gnu
> Compiler: gcc -std=gnu99 (exec name)
> / gcc (real)
> GCC Protect enabled: yes
> GCC march native enabled: no
> GCC Profile enabled: no
> Position Independent Executable enabled: yes
> CFLAGS -O2 -g -pipe -Wall
> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
> --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
> PCAP_CFLAGS
> SECCFLAGS -fstack-protector
> -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
>
> --
> Fatih USTA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180115/ae125ce0/attachment-0002.html>
More information about the Oisf-users
mailing list