[Oisf-users] [EXT] Re: Oisf-users Digest, Vol 120, Issue 21

Cloherty, Sean E scloherty at mitre.org
Tue Nov 19 16:33:47 UTC 2019


Interesting - so barring an upgrade today, would I be better off using the ixgbe drivers from the OS rather than the latest from Intel?

I did look at the test script “can-i-use-afpacket-fanout” but my sensors have no internet connection so I am not able to run it per instructions and I am not sure how to do it offline.
 
-----Original Message-----
From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> On Behalf Of erik clark
Sent: Tuesday, November 19, 2019 10:32 AM
To: Open Information Security Foundation <oisf-users at lists.openinfosecfoundation.org>
Subject: [EXT] Re: [Oisf-users] Oisf-users Digest, Vol 120, Issue 21

Subject: [EXT] Re: [Oisf-users] Packet Fanout on CentOS 7?

As mentioned off list: Elrepo kernels are where you almost definitely need to be. The ooooold kernel in RHEL/Cent7 do not support much of what is needed.

Please see below for validation:

https://github.com/JustinAzoff/can-i-use-afpacket-fanout

Use of af_packet on Cent/RHEL7 boxes was discussed extensively on the
Zeek(Bro) list 3-4 years ago; Issues setting symmetric hashing was even address by Redhat in a later kernel patch (ixgbe driver) to enable it. Something to consider.


On Tue, Nov 19, 2019 at 10:24 AM
<oisf-users-request at lists.openinfosecfoundation.org> wrote:
>
> Send Oisf-users mailing list submissions to
>         oisf-users at lists.openinfosecfoundation.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> or, via email, send a message with subject or body 'help' to
>         oisf-users-request at lists.openinfosecfoundation.org
>
> You can reach the person managing the list at
>         oisf-users-owner at lists.openinfosecfoundation.org
>
> When replying, please edit your Subject line so it is more specific 
> than "Re: Contents of Oisf-users digest..."
>
>
> Today's Topics:
>
>    1. Suricata as an IPS (Charles Devoe)
>    2. Re: [EXT] Re: Packet Fanout on CentOS 7? (Cloherty, Sean E)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 19 Nov 2019 14:18:49 +0000
> From: Charles Devoe <Charles.Devoe at cisecurity.org>
> To: "oisf-users at lists.openinfosecfoundation.org"
>         <oisf-users at lists.openinfosecfoundation.org>
> Subject: [Oisf-users] Suricata as an IPS
> Message-ID: <0f2d8593d2d84bd0a8e57afdef164b5c at cisecurity.org>
> Content-Type: text/plain; charset="utf-8"
>
> There is a bit of a debate going on here as to whether Suricata has to be inline to work in IPS mode.
>
> The confusion is coming from this
>
> Reject
> This is an active rejection of the packet. Both receiver and sender receive a reject packet. There are two types of reject packets that will be automatically selected. If the offending packet concerns TCP, it will be a Reset-packet. For all other protocols it will be an ICMP-error packet. Suricata also generates an alert. When in Inline/IPS mode, the offending packet will also be dropped like with the 'drop' action.
>
>
> Some are reading this as we can monitor on one interface and send out the reject over  a management interface.  In essence we would receive traffic via a tap or SPAN/Mirror port and send it back out over a management port.
>
> So the bottom line here :  Is it possible to run Suricata as an IPS without being in line.
>
>
>
>
> This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
>
> . . . . .
> -------------- next part -------------- An HTML attachment was 
> scrubbed...
> URL: 
> <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachmen
> ts/20191119/8d025d34/attachment-0001.html>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 19 Nov 2019 15:23:24 +0000
> From: "Cloherty, Sean E" <scloherty at mitre.org>
> To: Michał Purzyński <michalpurzynski1 at gmail.com>, Peter Manev
>         <petermanev at gmail.com>
> Cc: "oisf-users at lists.openinfosecfoundation.org"
>         <oisf-users at lists.openinfosecfoundation.org>
> Subject: Re: [Oisf-users] [EXT] Re: Packet Fanout on CentOS 7?
> Message-ID:
>         
> <DM5PR0901MB239226A9AE3A6EFAA08B1289A84C0 at DM5PR0901MB2392.namprd09.pro
> d.outlook.com>
>
> Content-Type: text/plain; charset="utf-8"
>
> I’ve run the startup with strace and there was nothing obvious there – output attached.  I’ve attached the suricata.log for a -T startup and a normal one, the start script, and the primary yaml – qm.yaml and the other two which it calls.  Those two were broken out so that the same primary yaml could be shared across hosts with the same hardware.
>
> Sean
>
> From: Michał Purzyński <michalpurzynski1 at gmail.com>
> Sent: Monday, November 18, 2019 8:11 PM
> To: Peter Manev <petermanev at gmail.com>
> Cc: Cloherty, Sean E <scloherty at mitre.org>; 
> oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] [EXT] Re: Packet Fanout on CentOS 7?
>
> Nah, any af_packet app will start even if the underlying hashing 
> mechanism is not configured correctly. You will just have a hidden 
> packet loss ;)
>
> Can you attach your suricata.yaml and the exact command line you start Suricata with? It looks to me like problems with permissions.
>
> As a bonus can you try strace -o out <your suricata command goes here> and look for errors / access / permission messages in the resulting 'out' file?
>
> On Mon, Nov 18, 2019 at 1:44 PM Peter Manev <petermanev at gmail.com<mailto:petermanev at gmail.com>> wrote:
> On Mon, Nov 18, 2019 at 2:51 PM Cloherty, Sean E <scloherty at mitre.org<mailto:scloherty at mitre.org>> wrote:
> >
> > The NIC is a 10G dual port Intel Corporation 82599ES 10-Gigabit 
> > SFI/SFP+ Network Connection (rev 01).  The driver is ixgbe 5.6.3.  
> > I’ve attached the output in a text file.  The script used to start 
> > it includes the following from the class  –
> >
> >
> >
>
> I've seen similar errs in a couple of situations:
> 1 - when there is another Suricata running on the same interface
> 2 - when using XDP (hw mode) with the wrong/not correct firmware 
> version of the NIC
>
> From what I gather , it seems you don't have any the situation above 
> (if I am not mistaken) Off note: For the cluster_qm part it is known 
> that i40 can do the symmetric hashing with the specified low entropy 
> key  for ixgbe i am not sure as i've seen both expected and unexpected 
> results so ti is something that needs to be further checked.
> However there is  a bit more to that even if set up correct - it is 
> traffic dependent in some cases as well - it's been tracked here
> https://redmine.openinfosecfoundation.org/issues/2725
>
> I dont have that much experience with CentOS but will be curious to 
> see if you have similar issue with CentOS 8
>
>
> > ##### NIC #####
> >
> >
> >
> > ### ens1f1
> >
> >
> >
> > ifconfig ens1f1 down
> >
> > ifconfig ens1f1 up
> >
> >
> >
> > /usr/sbin/ethtool -L ens1f1 combined 16
> >
> > /usr/sbin/ethtool -K ens1f1 rxhash on
> >
> > /usr/sbin/ethtool -K ens1f1 ntuple on
> >
> > /usr/sbin/ethtool -X ens1f1 hkey 
> > 6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D
> > :5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A equal 16
> >
> > /usr/sbin/ethtool -A ens1f1 rx off
> >
> > /usr/sbin/ethtool -C ens1f1 adaptive-rx off adaptive-tx off rx-usecs 
> > 125
> >
> > /usr/sbin/ethtool -G ens1f1 rx 1024
> >
> >
> >
> > for proto in tcp4 udp4 tcp6 udp6 ; do /usr/local/sbin/ethtool -N 
> > ens1f1 rx-flow-hash $proto sdfn ; done
> >
> >
> >
> > ##### START #####
> >
> > LD_PRELOAD="/usr/lib64/libtcmalloc_minimal.so.4" /usr/bin/suricata 
> > -c /etc/suricata/qm.yaml --af-packet=ens1f1 -vvv -D
> >
> >
> >
> >
> >
> > From: Peter Manev 
> > <petermanev at gmail.com<mailto:petermanev at gmail.com>>
> > Sent: Sunday, November 17, 2019 1:59 AM
> > To: Cloherty, Sean E 
> > <scloherty at mitre.org<mailto:scloherty at mitre.org>>
> > Cc: 
> > oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.o
> > peninfosecfoundation.org>
> > Subject: [EXT] Re: [Oisf-users] Packet Fanout on CentOS 7?
> >
> >
> >
> > On 17 Nov 2019, at 02:46, Cloherty, Sean E <scloherty at mitre.org<mailto:scloherty at mitre.org>> wrote:
> >
> >
> >
> > 
> >
> > After taking the Advanced Deployment and Architecture class I was 
> > fired up with ideas for improvements in my own environment.  I want 
> > to use the cluster_qm mode and match worker/CPUs/RSS queues in 
> > CentOS 7.  Has anyone been able to get this working on CentOS 7 or 
> > should I start migrating to CentOS 8?  The kernel is 
> > 3.10.0-1062.4.1.el7.x86_64, running Suricata 5.0.0 and I was able to 
> > set the hash key and the hash functions correctly (I think) -
> >
> >
> >
> > RSS hash key:
> >
> > 6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d
> > :5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a:6d:5a
> >
> > RSS hash function:
> >
> >     toeplitz: on
> >
> >     xor: off
> >
> >     crc32: off
> >
> >
> >
> >
> >
> > When I start Suricata all the messages look good until it gets to 
> > AFP when it gives me the message –
> >
> >
> >
> > 7/11/2019 -- 14:10:43 - <Notice> - all 16 packet processing threads, 4 management threads initialized, engine started.
> >
> > 7/11/2019 -- 14:10:43 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] 
> > - Couldn't set fanout mode, error Invalid argument
> >
> > 7/11/2019 -- 14:10:43 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] 
> > - Couldn't init AF_PACKET socket, fatal error
> >
> > 7/11/2019 -- 14:10:43 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - 
> > thread W#01-ens1f1 failed
> >
> >
> >
> >
> >
> > I’ve never tried it CentOS 7 but would recommend trying  8.
> >
> > What NIC is that ? (think you mentioned Intel but wasn’t sure what 
> > driver/model)
> >
> >
> >
> > Just to be in the safe side - “-T” (test) run passes ok too? (And 
> > there are no other Suri running on the same interface ?)
> >
> >
> >
> >
> >
> > I did take a look at the test script “can-i-use-afpacket-fanout” but my sensors have no internet connection so I am not able to use it via GO. Is there another way to run this if I downloading it manually ?
> >
> >
> >
> >
> >
> > Thanks,
> >
> >
> >
> > Sean
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: 
> > oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfo
> > undation.org>
> > Site: http://suricata-ids.org | Support: 
> > http://suricata-ids.org/support/
> > List: 
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
>
>
>
> --
> Regards,
> Peter Manev
> _______________________________________________
> Suricata IDS Users mailing list: 
> oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoun
> dation.org>
> Site: http://suricata-ids.org | Support: 
> http://suricata-ids.org/support/
> List: 
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
> -------------- next part -------------- An HTML attachment was 
> scrubbed...
> URL: 
> <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachmen
> ts/20191119/f7fadf72/attachment.html>
> -------------- next part -------------- An embedded and 
> charset-unspecified text was scrubbed...
> Name: strace.txt
> URL: 
> <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachmen
> ts/20191119/f7fadf72/attachment.txt>
> -------------- next part -------------- A non-text attachment was 
> scrubbed...
> Name: suricata.log
> Type: application/octet-stream
> Size: 20388 bytes
> Desc: suricata.log
> URL: 
> <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachmen
> ts/20191119/f7fadf72/attachment.obj>
> -------------- next part -------------- A non-text attachment was 
> scrubbed...
> Name: suricata_test_startup.log
> Type: application/octet-stream
> Size: 17544 bytes
> Desc: suricata_test_startup.log
> URL: 
> <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachmen
> ts/20191119/f7fadf72/attachment-0001.obj>
> -------------- next part -------------- A non-text attachment was 
> scrubbed...
> Name: uniq_idstest.yaml
> Type: application/octet-stream
> Size: 541 bytes
> Desc: uniq_idstest.yaml
> URL: 
> <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachmen
> ts/20191119/f7fadf72/attachment-0002.obj>
> -------------- next part -------------- A non-text attachment was 
> scrubbed...
> Name: vars.yaml
> Type: application/octet-stream
> Size: 1398 bytes
> Desc: vars.yaml
> URL: 
> <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachmen
> ts/20191119/f7fadf72/attachment-0003.obj>
> -------------- next part -------------- A non-text attachment was 
> scrubbed...
> Name: qm.yaml
> Type: application/octet-stream
> Size: 77137 bytes
> Desc: qm.yaml
> URL: 
> <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachmen
> ts/20191119/f7fadf72/attachment-0004.obj>
> -------------- next part -------------- A non-text attachment was 
> scrubbed...
> Name: qmstart.sh
> Type: application/octet-stream
> Size: 2155 bytes
> Desc: qmstart.sh
> URL: 
> <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachmen
> ts/20191119/f7fadf72/attachment-0005.obj>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at lists.openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
> ------------------------------
>
> End of Oisf-users Digest, Vol 120, Issue 21
> *******************************************
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/


More information about the Oisf-users mailing list