[Oisf-users] traffic doesn't forward suricata and netmap.
Fatih USTA
fatihusta86 at gmail.com
Wed Jan 17 12:44:13 UTC 2018
Hello list.
Are there any idea for this issue?
Thanks. Regards.
Fatih USTA
On 15-01-2018 19:02, Fatih USTA wrote:
>
> I added "-vvv" parameters. The log is below .
>
> I found a problem, but how can I fix, I don't know.
> Problem is arp. I can't see arp request on "tcpdump" or "ip monitor
> all" while running suricata.
>
> *Client Arp Table*
>
> ? (10.1.8.1) at <incomplete> on eth8
>
> suricata -c /etc/suricata/suricata.yaml --netmap -vvv
>
> 15/1/2018 -- 18:44:49 - <Notice> - This is Suricata version 4.0.3 RELEASE
> 15/1/2018 -- 18:44:49 - <Info> - CPUs/cores online: 12
> 15/1/2018 -- 18:44:49 - <Config> - Adding interface ens15f0 from
> config file
> 15/1/2018 -- 18:44:49 - <Config> - Adding interface ens15f1 from
> config file
> 15/1/2018 -- 18:44:49 - <Info> - Netmap: Setting IPS mode
> 15/1/2018 -- 18:44:49 - <Config> - 'default' server has
> 'request-body-minimal-inspect-size' set to 31926 and
> 'request-body-inspect-window' set to 3968 after randomization.
> 15/1/2018 -- 18:44:49 - <Config> - 'default' server has
> 'response-body-minimal-inspect-size' set to 39564 and
> 'response-body-inspect-window' set to 15737 after randomization.
> 15/1/2018 -- 18:44:49 - <Config> - DNS request flood protection level: 500
> 15/1/2018 -- 18:44:49 - <Config> - DNS per flow memcap (state-memcap):
> 524288
> 15/1/2018 -- 18:44:49 - <Config> - DNS global memcap: 16777216
> 15/1/2018 -- 18:44:49 - <Config> - Protocol detection and parser
> disabled for modbus protocol.
> 15/1/2018 -- 18:44:49 - <Config> - Protocol detection and parser
> disabled for enip protocol.
> 15/1/2018 -- 18:44:49 - <Config> - Protocol detection and parser
> disabled for DNP3.
> 15/1/2018 -- 18:44:49 - <Info> - Found an MTU of 9000 for 'ens15f0'
> 15/1/2018 -- 18:44:49 - <Info> - Found an MTU of 9000 for 'ens15f0'
> 15/1/2018 -- 18:44:49 - <Info> - Found an MTU of 9000 for 'ens15f1'
> 15/1/2018 -- 18:44:49 - <Info> - Found an MTU of 9000 for 'ens15f1'
> 15/1/2018 -- 18:44:49 - <Config> - allocated 262144 bytes of memory
> for the host hash... 4096 buckets of size 64
> 15/1/2018 -- 18:44:49 - <Config> - preallocated 1000 hosts of size 136
> 15/1/2018 -- 18:44:49 - <Config> - host memory usage: 398144 bytes,
> maximum: 33554432
> 15/1/2018 -- 18:44:49 - <Config> - Core dump size set to unlimited.
> 15/1/2018 -- 18:44:49 - <Config> - allocated 3670016 bytes of memory
> for the defrag hash... 65536 buckets of size 56
> 15/1/2018 -- 18:44:49 - <Config> - preallocated 65535 defrag trackers
> of size 168
> 15/1/2018 -- 18:44:49 - <Config> - defrag memory usage: 14679896
> bytes, maximum: 33554432
> 15/1/2018 -- 18:44:49 - <Config> - stream "prealloc-sessions": 2048
> (per thread)
> 15/1/2018 -- 18:44:49 - <Config> - stream "memcap": 67108864
> 15/1/2018 -- 18:44:49 - <Config> - stream "midstream" session pickups:
> disabled
> 15/1/2018 -- 18:44:49 - <Config> - stream "async-oneside": disabled
> 15/1/2018 -- 18:44:49 - <Config> - stream "checksum-validation": enabled
> 15/1/2018 -- 18:44:49 - <Config> - stream."inline": enabled
> 15/1/2018 -- 18:44:49 - <Config> - stream "bypass": disabled
> 15/1/2018 -- 18:44:49 - <Config> - stream "max-synack-queued": 5
> 15/1/2018 -- 18:44:49 - <Config> - stream.reassembly "memcap": 268435456
> 15/1/2018 -- 18:44:49 - <Config> - stream.reassembly "depth": 1048576
> 15/1/2018 -- 18:44:49 - <Config> - stream.reassembly
> "toserver-chunk-size": 2469
> 15/1/2018 -- 18:44:49 - <Config> - stream.reassembly
> "toclient-chunk-size": 2572
> 15/1/2018 -- 18:44:49 - <Config> - stream.reassembly.raw: enabled
> 15/1/2018 -- 18:44:49 - <Config> - stream.reassembly
> "segment-prealloc": 2048
> 15/1/2018 -- 18:44:49 - <Config> - Delayed detect disabled
> 15/1/2018 -- 18:44:49 - <Info> - Running in live mode, activating unix
> socket
> 15/1/2018 -- 18:44:49 - <Config> - pattern matchers: MPM: ac, SPM: bm
> 15/1/2018 -- 18:44:49 - <Config> - grouping: tcp-whitelist (default)
> 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
> 15/1/2018 -- 18:44:49 - <Config> - grouping: udp-whitelist (default)
> 53, 135, 5060
> 15/1/2018 -- 18:44:49 - <Config> - prefilter engines: MPM
> 15/1/2018 -- 18:44:49 - <Config> - IP reputation disabled
> 15/1/2018 -- 18:44:49 - <Config> - Loading rule file:
> /var/lib/suricata/rules/suricata.rules
> 15/1/2018 -- 18:44:56 - <Info> - 1 rule files processed. 18586 rules
> successfully loaded, 0 rules failed
> 15/1/2018 -- 18:44:56 - <Info> - Threshold config parsed: 0 rule(s) found
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for tcp-packet
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for tcp-stream
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for udp-packet
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for other-ip
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_uri
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
> http_request_line
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
> http_client_body
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
> http_response_line
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_header
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_header
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
> http_header_names
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
> http_header_names
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_accept
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_accept_enc
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
> http_accept_lang
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_referer
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_connection
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
> http_content_len
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
> http_content_len
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
> http_content_type
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
> http_content_type
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_protocol
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_protocol
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_start
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_start
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_raw_header
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_raw_header
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_method
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_cookie
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_cookie
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_raw_uri
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_user_agent
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_host
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_raw_host
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_stat_msg
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for http_stat_code
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for dns_query
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for tls_sni
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for tls_cert_issuer
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for
> tls_cert_subject
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for tls_cert_serial
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for dce_stub_data
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for dce_stub_data
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for ssh_protocol
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for ssh_protocol
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for ssh_software
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for ssh_software
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for file_data
> 15/1/2018 -- 18:44:56 - <Perf> - using shared mpm ctx' for file_data
> 15/1/2018 -- 18:44:56 - <Info> - 18591 signatures processed. 1144 are
> IP-only rules, 6288 are inspecting packet payload, 13278 inspect
> application layer, 0 are decoder event only
> 15/1/2018 -- 18:44:56 - <Config> - building signature grouping
> structure, stage 1: preprocessing rules... complete
> 15/1/2018 -- 18:44:56 - <Perf> - TCP toserver: 41 port groups, 32
> unique SGH's, 9 copies
> 15/1/2018 -- 18:44:56 - <Perf> - TCP toclient: 21 port groups, 21
> unique SGH's, 0 copies
> 15/1/2018 -- 18:44:56 - <Perf> - UDP toserver: 41 port groups, 32
> unique SGH's, 9 copies
> 15/1/2018 -- 18:44:56 - <Perf> - UDP toclient: 21 port groups, 15
> unique SGH's, 6 copies
> 15/1/2018 -- 18:44:56 - <Perf> - OTHER toserver: 254 proto groups, 3
> unique SGH's, 251 copies
> 15/1/2018 -- 18:44:56 - <Perf> - OTHER toclient: 254 proto groups, 0
> unique SGH's, 254 copies
> 15/1/2018 -- 18:44:57 - <Perf> - Unique rule groups: 103
> 15/1/2018 -- 18:44:57 - <Perf> - Builtin MPM "toserver TCP packet": 21
> 15/1/2018 -- 18:44:57 - <Perf> - Builtin MPM "toclient TCP packet": 20
> 15/1/2018 -- 18:44:57 - <Perf> - Builtin MPM "toserver TCP stream": 20
> 15/1/2018 -- 18:44:57 - <Perf> - Builtin MPM "toclient TCP stream": 21
> 15/1/2018 -- 18:44:57 - <Perf> - Builtin MPM "toserver UDP packet": 32
> 15/1/2018 -- 18:44:57 - <Perf> - Builtin MPM "toclient UDP packet": 14
> 15/1/2018 -- 18:44:57 - <Perf> - Builtin MPM "other IP packet": 2
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver http_uri": 6
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
> http_request_line": 1
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
> http_client_body": 5
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient
> http_response_line": 1
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver http_header": 6
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient http_header": 3
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
> http_header_names": 1
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver http_accept": 1
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver http_referer": 1
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
> http_content_len": 1
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
> http_content_type": 1
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient
> http_content_type": 1
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver http_start": 1
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
> http_raw_header": 1
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient
> http_raw_header": 1
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver http_method": 3
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver http_cookie": 1
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient http_cookie": 2
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver
> http_user_agent": 4
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver http_host": 2
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient http_stat_code": 1
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver dns_query": 4
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver tls_sni": 2
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient
> tls_cert_issuer": 1
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient
> tls_cert_subject": 1
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient
> tls_cert_serial": 1
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toserver file_data": 1
> 15/1/2018 -- 18:44:57 - <Perf> - AppLayer MPM "toclient file_data": 5
> 15/1/2018 -- 18:44:57 - <Info> - fast output device (regular)
> initialized: fast.log
> 15/1/2018 -- 18:44:57 - <Info> - eve-log output device (regular)
> initialized: eve.json
> 15/1/2018 -- 18:44:57 - <Config> - enabling 'eve-log' module 'alert'
> 15/1/2018 -- 18:44:57 - <Config> - enabling 'eve-log' module 'http'
> 15/1/2018 -- 18:44:57 - <Config> - enabling 'eve-log' module 'dns'
> 15/1/2018 -- 18:44:57 - <Config> - enabling 'eve-log' module 'tls'
> 15/1/2018 -- 18:44:57 - <Config> - enabling 'eve-log' module 'files'
> 15/1/2018 -- 18:44:57 - <Config> - enabling 'eve-log' module 'smtp'
> 15/1/2018 -- 18:44:57 - <Config> - enabling 'eve-log' module 'ssh'
> 15/1/2018 -- 18:44:57 - <Config> - enabling 'eve-log' module 'stats'
> 15/1/2018 -- 18:44:57 - <Config> - enabling 'eve-log' module 'flow'
> 15/1/2018 -- 18:44:57 - <Info> - stats output device (regular)
> initialized: stats.log
> 15/1/2018 -- 18:44:57 - <Info> - Found 1 RX RSS queues for 'ens15f0'
> 15/1/2018 -- 18:44:57 - <Info> - Found 1 RX RSS queues for 'ens15f1'
> 15/1/2018 -- 18:44:57 - <Perf> - Using 1 threads for interface ens15f0
> 15/1/2018 -- 18:44:57 - <Info> - Going to use 1 thread(s)
> 15/1/2018 -- 18:44:58 - <Perf> - Enabling zero copy mode for
> ens15f0->ens15f1
> 15/1/2018 -- 18:44:58 - <Info> - Found 1 RX RSS queues for 'ens15f1'
> 15/1/2018 -- 18:44:58 - <Info> - Found 1 RX RSS queues for 'ens15f0'
> 15/1/2018 -- 18:44:58 - <Perf> - Using 1 threads for interface ens15f1
> 15/1/2018 -- 18:44:58 - <Info> - Going to use 1 thread(s)
> 15/1/2018 -- 18:44:58 - <Perf> - Enabling zero copy mode for
> ens15f1->ens15f0
> 15/1/2018 -- 18:44:58 - <Config> - using 1 flow manager threads
> 15/1/2018 -- 18:44:58 - <Config> - using 1 flow recycler threads
> 15/1/2018 -- 18:44:58 - <Info> - Running in live mode, activating unix
> socket
> 15/1/2018 -- 18:44:58 - <Info> - Using unix socket file
> '/var/run/suricata/suricata-command.socket'
> 15/1/2018 -- 18:44:58 - <Notice> - all 2 packet processing threads, 4
> management threads initialized, engine started.
>
>
>
> Fatih USTA
> On 15-01-2018 17:07, Fatih USTA wrote:
>>
>> Hi
>>
>> I'm working on suricata with netmap.
>>
>> I builded suricata 4.0.3 with netmap on centos 7(kernel 3.10.xx).
>>
>> I disabled rx/tx and lro/gro
>>
>> ethtool -K ens15f0 lro off gro off
>> ethtool -K ens15f1 lro off gro off
>>
>> ethtool -A ens15f0 rx off tx off
>> ethtool -A ens15f1 rx off tx off
>>
>> Traffic does not forward when I start suricata.
>>
>> From 10.1.8.2 icmp_seq=18 Destination Host Unreachable
>> From 10.1.8.2 icmp_seq=19 Destination Host Unreachable
>>
>> Any idea? Thank you for your help.
>>
>> *my suricata config*
>>
>> netmap:
>> - inteface: default
>>
>> - interface: ens15f0
>> copy-iface: ens15f1
>> copy-mode: ips
>> disable-promisc: no
>> checksum-checks: auto
>> threads: auto
>>
>> - interface: ens15f1
>> copy-iface: ens15f0
>> copy-mode: ips
>> disable-promisc: no
>> checksum-checks: auto
>> threads: auto
>>
>> *Kenel Modules*
>>
>> [root at centos7 ~]# lsmod | grep netmap
>> netmap 154288 2 igb,ixgbe
>>
>> *Build INFO*
>> [root at centos7 ~]# suricata --build-info
>> This is Suricata version 4.0.3 RELEASE
>> Features: NFQ PCAP_SET_BUFF AF_PACKET NETMAP HAVE_PACKET_FANOUT
>> LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS
>> HAVE_LUA HAVE_LIBJANSSON TLS MAGIC
>> SIMD support: none
>> Atomic intrisics: 1 2 4 8 byte(s)
>> 64-bits, Little-endian architecture
>> GCC version 4.8.5 20150623 (Red Hat 4.8.5-16), C version 199901
>> compiled with _FORTIFY_SOURCE=2
>> L1 cache line size (CLS)=64
>> thread local storage method: __thread
>> compiled with LibHTP v0.5.25, linked against LibHTP v0.5.25
>>
>> Suricata Configuration:
>> AF_PACKET support: yes
>> PF_RING support: no
>> NFQueue support: yes
>> NFLOG support: yes
>> IPFW support: no
>> Netmap support: yes
>> DAG enabled: no
>> Napatech enabled: no
>>
>> Unix socket enabled: yes
>> Detection enabled: yes
>>
>> Libmagic support: yes
>> libnss support: yes
>> libnspr support: yes
>> libjansson support: yes
>> hiredis support: yes
>> hiredis async with libevent: yes
>> Prelude support: yes
>> PCRE jit: yes
>> LUA support: yes
>> libluajit: no
>> libgeoip: yes
>> Non-bundled htp: no
>> Old barnyard2 support: no
>> CUDA enabled: no
>> Hyperscan support: no
>> Libnet support: yes
>>
>> Rust support (experimental): no
>> Experimental Rust parsers: no
>> Rust strict mode: no
>>
>> Suricatasc install: yes
>>
>> Profiling enabled: no
>> Profiling locks enabled: no
>>
>> Development settings:
>> Coccinelle / spatch: no
>> Unit tests enabled: no
>> Debug output enabled: no
>> Debug validation enabled: no
>>
>> Generic build parameters:
>> Installation prefix: /usr
>> Configuration directory: /etc/suricata/
>> Log directory: /var/log/suricata/
>>
>> --prefix /usr
>> --sysconfdir /etc
>> --localstatedir /var
>>
>> Host: x86_64-redhat-linux-gnu
>> Compiler: gcc -std=gnu99 (exec name)
>> / gcc (real)
>> GCC Protect enabled: yes
>> GCC march native enabled: no
>> GCC Profile enabled: no
>> Position Independent Executable enabled: yes
>> CFLAGS -O2 -g -pipe -Wall
>> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
>> --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
>> PCAP_CFLAGS
>> SECCFLAGS -fstack-protector
>> -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
>>
>> --
>> Fatih USTA
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180117/f68569eb/attachment-0002.html>
More information about the Oisf-users
mailing list