[Oisf-users] Suricata + Netmap IPS - kernel drop packets
vincent.ma at gmx.fr
vincent.ma at gmx.fr
Wed May 9 12:04:01 UTC 2018
Hello,
Sorry for my late response
I tried with FreeBSD 11, I have no more "kernel drop packets". However the packets are not forward. All checksum offloading is OFF
(To test the connectivity between suricata and the server I created a bridge: "ifconfig bridge0 addm ixl0 addm ixl1 up" it works)
Switch <--> (ixl0) suricata (ixl1) <--> (eth0) Server
suricata.yaml :
- interface: default
threads: auto
copy-mode: ips
disable-promisc: no
- interface: ixl0
copy-iface: ixl1
- interface : ixl1
copy-iface: ixl0
root at suricata:~ # suricata --netmap -vvv
9/5/2018 -- 12:32:18 - <Notice> - This is Suricata version 4.0.4 RELEASE
9/5/2018 -- 12:32:18 - <Info> - CPUs/cores online: 32
9/5/2018 -- 12:32:18 - <Config> - Adding interface ixl0 from config file
9/5/2018 -- 12:32:18 - <Config> - Adding interface ixl1 from config file
9/5/2018 -- 12:32:18 - <Info> - Netmap: Setting IPS mode
9/5/2018 -- 12:32:18 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32341 and 'request-body-inspect-window' set to 4029 after randomization.
9/5/2018 -- 12:32:18 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 39344 and 'response-body-inspect-window' set to 17070 after randomization.
9/5/2018 -- 12:32:18 - <Config> - DNS request flood protection level: 500
9/5/2018 -- 12:32:18 - <Config> - DNS per flow memcap (state-memcap): 524288
9/5/2018 -- 12:32:18 - <Config> - DNS global memcap: 16777216
9/5/2018 -- 12:32:18 - <Config> - Protocol detection and parser disabled for modbus protocol.
9/5/2018 -- 12:32:18 - <Config> - Protocol detection and parser disabled for enip protocol.
9/5/2018 -- 12:32:18 - <Config> - Protocol detection and parser disabled for DNP3.
9/5/2018 -- 12:32:18 - <Info> - Found an MTU of 1500 for 'ixl0'
9/5/2018 -- 12:32:18 - <Info> - Found an MTU of 1500 for 'ixl0'
9/5/2018 -- 12:32:18 - <Info> - Found an MTU of 1500 for 'ixl1'
9/5/2018 -- 12:32:18 - <Info> - Found an MTU of 1500 for 'ixl1'
9/5/2018 -- 12:32:18 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
9/5/2018 -- 12:32:18 - <Config> - preallocated 1000 hosts of size 104
9/5/2018 -- 12:32:18 - <Config> - host memory usage: 366144 bytes, maximum: 33554432
9/5/2018 -- 12:32:18 - <Config> - Core dump size is unlimited.
9/5/2018 -- 12:32:18 - <Config> - allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
9/5/2018 -- 12:32:19 - <Config> - preallocated 65535 defrag trackers of size 136
9/5/2018 -- 12:32:19 - <Config> - defrag memory usage: 10485624 bytes, maximum: 33554432
9/5/2018 -- 12:32:19 - <Config> - stream "prealloc-sessions": 2048 (per thread)
9/5/2018 -- 12:32:19 - <Config> - stream "memcap": 67108864
9/5/2018 -- 12:32:19 - <Config> - stream "midstream" session pickups: disabled
9/5/2018 -- 12:32:19 - <Config> - stream "async-oneside": disabled
9/5/2018 -- 12:32:19 - <Config> - stream "checksum-validation": enabled
9/5/2018 -- 12:32:19 - <Config> - stream."inline": enabled
9/5/2018 -- 12:32:19 - <Config> - stream "bypass": disabled
9/5/2018 -- 12:32:19 - <Config> - stream "max-synack-queued": 5
9/5/2018 -- 12:32:19 - <Config> - stream.reassembly "memcap": 268435456
9/5/2018 -- 12:32:19 - <Config> - stream.reassembly "depth": 1048576
9/5/2018 -- 12:32:19 - <Config> - stream.reassembly "toserver-chunk-size": 2649
9/5/2018 -- 12:32:19 - <Config> - stream.reassembly "toclient-chunk-size": 2446
9/5/2018 -- 12:32:19 - <Config> - stream.reassembly.raw: enabled
9/5/2018 -- 12:32:19 - <Config> - stream.reassembly "segment-prealloc": 2048
9/5/2018 -- 12:32:19 - <Config> - Delayed detect disabled
9/5/2018 -- 12:32:19 - <Config> - pattern matchers: MPM: ac, SPM: bm
9/5/2018 -- 12:32:19 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
9/5/2018 -- 12:32:19 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
9/5/2018 -- 12:32:19 - <Config> - prefilter engines: MPM
9/5/2018 -- 12:32:19 - <Config> - IP reputation disabled
9/5/2018 -- 12:32:19 - <Config> - Loading rule file: /usr/local/etc/suricata/rules/http-events.rules
9/5/2018 -- 12:32:19 - <Info> - 1 rule files processed. 32 rules successfully loaded, 0 rules failed
9/5/2018 -- 12:32:19 - <Info> - Threshold config parsed: 0 rule(s) found
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for tcp-packet
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for tcp-stream
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for udp-packet
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for other-ip
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_uri
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_request_line
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_client_body
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_response_line
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_header
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_header
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_header_names
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_header_names
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_accept
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_accept_enc
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_accept_lang
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_referer
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_connection
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_content_len
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_content_len
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_content_type
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_content_type
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_protocol
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_protocol
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_start
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_start
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_raw_header
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_raw_header
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_method
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_cookie
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_cookie
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_raw_uri
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_user_agent
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_host
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_raw_host
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_stat_msg
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for http_stat_code
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for dns_query
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for tls_sni
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for tls_cert_issuer
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for tls_cert_subject
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for tls_cert_serial
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for dce_stub_data
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for dce_stub_data
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for ssh_protocol
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for ssh_protocol
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for ssh_software
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for ssh_software
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for file_data
9/5/2018 -- 12:32:19 - <Perf> - using shared mpm ctx' for file_data
9/5/2018 -- 12:32:19 - <Info> - 32 signatures processed. 1 are IP-only rules, 0 are inspecting packet payload, 31 inspect application layer, 0 are decoder event only
9/5/2018 -- 12:32:19 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
9/5/2018 -- 12:32:19 - <Perf> - TCP toserver: 1 port groups, 1 unique SGH's, 0 copies
9/5/2018 -- 12:32:19 - <Perf> - TCP toclient: 1 port groups, 1 unique SGH's, 0 copies
9/5/2018 -- 12:32:19 - <Perf> - UDP toserver: 0 port groups, 0 unique SGH's, 0 copies
9/5/2018 -- 12:32:19 - <Perf> - UDP toclient: 0 port groups, 0 unique SGH's, 0 copies
9/5/2018 -- 12:32:19 - <Perf> - OTHER toserver: 0 proto groups, 0 unique SGH's, 0 copies
9/5/2018 -- 12:32:19 - <Perf> - OTHER toclient: 0 proto groups, 0 unique SGH's, 0 copies
9/5/2018 -- 12:32:19 - <Perf> - Unique rule groups: 2
9/5/2018 -- 12:32:19 - <Perf> - Builtin MPM "toserver TCP packet": 0
9/5/2018 -- 12:32:19 - <Perf> - Builtin MPM "toclient TCP packet": 0
9/5/2018 -- 12:32:19 - <Perf> - Builtin MPM "toserver TCP stream": 0
9/5/2018 -- 12:32:19 - <Perf> - Builtin MPM "toclient TCP stream": 0
9/5/2018 -- 12:32:19 - <Perf> - Builtin MPM "toserver UDP packet": 0
9/5/2018 -- 12:32:19 - <Perf> - Builtin MPM "toclient UDP packet": 0
9/5/2018 -- 12:32:19 - <Perf> - Builtin MPM "other IP packet": 0
9/5/2018 -- 12:32:19 - <Info> - fast output device (regular) initialized: fast.log
9/5/2018 -- 12:32:19 - <Info> - stats output device (regular) initialized: stats.log
9/5/2018 -- 12:32:19 - <Perf> - Using 8 threads for interface ixl0
9/5/2018 -- 12:32:19 - <Info> - Going to use 8 thread(s)
9/5/2018 -- 12:32:19 - <Perf> - Enabling zero copy mode for ixl0->ixl1
9/5/2018 -- 12:32:19 - <Perf> - Enabling zero copy mode for ixl0->ixl1
9/5/2018 -- 12:32:19 - <Perf> - Enabling zero copy mode for ixl0->ixl1
9/5/2018 -- 12:32:19 - <Perf> - Enabling zero copy mode for ixl0->ixl1
9/5/2018 -- 12:32:19 - <Perf> - Enabling zero copy mode for ixl0->ixl1
9/5/2018 -- 12:32:19 - <Perf> - Enabling zero copy mode for ixl0->ixl1
9/5/2018 -- 12:32:19 - <Perf> - Enabling zero copy mode for ixl0->ixl1
9/5/2018 -- 12:32:19 - <Perf> - Enabling zero copy mode for ixl0->ixl1
9/5/2018 -- 12:32:19 - <Perf> - Using 8 threads for interface ixl1
9/5/2018 -- 12:32:19 - <Info> - Going to use 8 thread(s)
9/5/2018 -- 12:32:19 - <Perf> - Enabling zero copy mode for ixl1->ixl0
9/5/2018 -- 12:32:19 - <Perf> - Enabling zero copy mode for ixl1->ixl0
9/5/2018 -- 12:32:19 - <Perf> - Enabling zero copy mode for ixl1->ixl0
9/5/2018 -- 12:32:19 - <Perf> - Enabling zero copy mode for ixl1->ixl0
9/5/2018 -- 12:32:19 - <Perf> - Enabling zero copy mode for ixl1->ixl0
9/5/2018 -- 12:32:19 - <Perf> - Enabling zero copy mode for ixl1->ixl0
9/5/2018 -- 12:32:19 - <Perf> - Enabling zero copy mode for ixl1->ixl0
9/5/2018 -- 12:32:19 - <Perf> - Enabling zero copy mode for ixl1->ixl0
9/5/2018 -- 12:32:19 - <Config> - using 1 flow manager threads
9/5/2018 -- 12:32:19 - <Config> - using 1 flow recycler threads
9/5/2018 -- 12:32:19 - <Notice> - all 16 packet processing threads, 4 management threads initialized, engine started.
^C9/5/2018 -- 12:32:49 - <Notice> - Signal Received. Stopping engine.
9/5/2018 -- 12:32:49 - <Perf> - 0 new flows, 0 established flows were timed out, 0 flows in closed state
9/5/2018 -- 12:32:49 - <Info> - time elapsed 30.592s
9/5/2018 -- 12:32:49 - <Perf> - 6 flows processed
9/5/2018 -- 12:32:49 - <Perf> - (W#01-ixl0) Kernel: Packets 8, dropped 0, bytes 480
9/5/2018 -- 12:32:49 - <Perf> - (W#02-ixl0) Kernel: Packets 0, dropped 0, bytes 0
9/5/2018 -- 12:32:49 - <Perf> - (W#03-ixl0) Kernel: Packets 0, dropped 0, bytes 0
9/5/2018 -- 12:32:49 - <Perf> - (W#04-ixl0) Kernel: Packets 0, dropped 0, bytes 0
9/5/2018 -- 12:32:49 - <Perf> - (W#05-ixl0) Kernel: Packets 0, dropped 0, bytes 0
9/5/2018 -- 12:32:49 - <Perf> - (W#06-ixl0) Kernel: Packets 0, dropped 0, bytes 0
9/5/2018 -- 12:32:49 - <Perf> - (W#07-ixl0) Kernel: Packets 0, dropped 0, bytes 0
9/5/2018 -- 12:32:49 - <Perf> - (W#08-ixl0) Kernel: Packets 0, dropped 0, bytes 0
9/5/2018 -- 12:32:49 - <Perf> - (W#01-ixl1) Kernel: Packets 1, dropped 0, bytes 60
9/5/2018 -- 12:32:49 - <Perf> - (W#02-ixl1) Kernel: Packets 1, dropped 0, bytes 90
9/5/2018 -- 12:32:49 - <Perf> - (W#03-ixl1) Kernel: Packets 6, dropped 0, bytes 588
9/5/2018 -- 12:32:49 - <Perf> - (W#04-ixl1) Kernel: Packets 0, dropped 0, bytes 0
9/5/2018 -- 12:32:49 - <Perf> - (W#05-ixl1) Kernel: Packets 8, dropped 0, bytes 648
9/5/2018 -- 12:32:49 - <Perf> - (W#06-ixl1) Kernel: Packets 0, dropped 0, bytes 0
9/5/2018 -- 12:32:49 - <Perf> - (W#07-ixl1) Kernel: Packets 0, dropped 0, bytes 0
9/5/2018 -- 12:32:50 - <Perf> - (W#08-ixl1) Kernel: Packets 5, dropped 0, bytes 462
9/5/2018 -- 12:32:50 - <Info> - Alerts: 6
9/5/2018 -- 12:32:50 - <Perf> - ippair memory usage: 366144 bytes, maximum: 16777216
9/5/2018 -- 12:32:50 - <Perf> - host memory usage: 366144 bytes, maximum: 33554432
9/5/2018 -- 12:32:50 - <Info> - cleaning up signature grouping structure... complete
9/5/2018 -- 12:32:50 - <Notice> - Stats for 'ixl0': pkts: 8, drop: 0 (0.00%), invalid chksum: 0
9/5/2018 -- 12:32:50 - <Notice> - Stats for 'ixl1': pkts: 21, drop: 0 (0.00%), invalid chksum: 0
-----
root at suricata:~ # tail -f /usr/local/var/log/suricata/fast.log
Ping to Server
05/09/2018-12:28:37.586028 [**] [1:0:0] ICMP Packet found [**] [Classification: (null)] [Priority: 3] {ICMP} 88.X.X.X:8 -> 195.X.X.X:0
05/09/2018-12:28:37.586028 [**] [1:0:0] ICMP Packet found [**] [Classification: (null)] [Priority: 3] {ICMP} 88.X.X.X:8 -> 195.X.X.X:0
05/09/2018-12:28:37.586028 [**] [1:0:0] ICMP Packet found [**] [Classification: (null)] [Priority: 3] {ICMP} 88.X.X.X:8 -> 195.X.X.X:0
Ping form Server
05/09/2018-12:32:43.204003 [**] [1:0:0] ICMP Packet found [**] [Classification: (null)] [Priority: 3] {ICMP} 195.X.X.X:0 -> 9.9.9.9:0
05/09/2018-12:32:44.224470 [**] [1:0:0] ICMP Packet found [**] [Classification: (null)] [Priority: 3] {ICMP} 195.X.X.X:0 -> 9.9.9.9:0
05/09/2018-12:32:45.248411 [**] [1:0:0] ICMP Packet found [**] [Classification: (null)] [Priority: 3] {ICMP} 195.X.X.X:0 -> 9.9.9.9:0
Thanks for your help
More information about the Oisf-users
mailing list