Solved issues with pf_ring failing on USB Ethernet
134 views
Skip to first unread message
rjam...@spotx.tv
Feb 7, 2019, 2:37:19 PM2/7/19
to security-onion
I searched on here to see if this was posted yet and did not find it, so I thought I'd add this nugget in the event someone else has the same problem.
I loaded SO on a laptop with a bunch of USB NICs, because there was no onboard NIC. Everything worked well except for Suricata and Snort, both of which showed the service had failed with a stale PID when I ran so-status. Looking into the logs for each, pf_ring was failing to load. Folks in this forum recommended swapping out the USB NIC for a hardwired one, but that wasn't an option for me, given the hardware.
Turns out that the issue is with how pf_ring deals with the interface names. The default behavior in 16.04 is for Ubuntu to append your MAC to the USB ethernet device so it becomes rather long. This makes it too long to parse thanks to struct sockaddr.sa_data[14] which is used by bind(). The recommendation in the thread I found was to shorten the interface name.
Thus, I updated /etc/udev/rules.d/70-persistent-net.rules to force the names to eth101 and eth102, rebooted, executed setup with the new names and voila! Snort and Suricata are both happy, because pf_ring is happy.
Hope this helps.
I loaded SO on a laptop with a bunch of USB NICs, because there was no onboard NIC. Everything worked well except for Suricata and Snort, both of which showed the service had failed with a stale PID when I ran so-status. Looking into the logs for each, pf_ring was failing to load. Folks in this forum recommended swapping out the USB NIC for a hardwired one, but that wasn't an option for me, given the hardware.
Turns out that the issue is with how pf_ring deals with the interface names. The default behavior in 16.04 is for Ubuntu to append your MAC to the USB ethernet device so it becomes rather long. This makes it too long to parse thanks to struct sockaddr.sa_data[14] which is used by bind(). The recommendation in the thread I found was to shorten the interface name.
Thus, I updated /etc/udev/rules.d/70-persistent-net.rules to force the names to eth101 and eth102, rebooted, executed setup with the new names and voila! Snort and Suricata are both happy, because pf_ring is happy.
Hope this helps.
Doug Burks
Feb 12, 2019, 2:00:40 PM2/12/19
to securit...@googlegroups.com
Hi rjamieson,
Nice find and thanks for sharing!
Hopefully this becomes less of an issue as we transition from PF_RING to AF_PACKET:
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Doug Burks
CEO
Security Onion Solutions, LLC
CEO
Security Onion Solutions, LLC
Reply all
Reply to author
Forward
0 new messages