Inline
62 views
Skip to first unread message
Thomas Raabo
Nov 15, 2013, 2:23:41 PM11/15/13
to meta...@googlegroups.com
I´am trying to get snort to work with the PF_RING in inline mode.
Is this even possible? I´am not bridging the interfaces just routing.
So I do
modprobe pf_ring enable_tx_capture=0 transparent_mode=1 min_num_slots=16384
snort -c /etc/snort/snort.conf -y -i rt1:rt3 --daq-dir /usr/local/lib/daq --daq pfring --daq-var clusterid=10,11 --daq-mode inline -Q
And everything seems to start fine.
pfring DAQ configured to inline.
rt1 <-> rt3
Acquiring network traffic from "rt1:rt3".
Reload thread starting...
Reload thread started, thread 0x7f8a2bd7b700 (2348)
I´ve then made a ICMP drop rule to test the IPS filtering.
I see the rule hitting
11/08/13-10:44:23.168517 [Drop] [**] [1:10000001:12] ICMP test [**] [Priority: 0] {ICMP} 94.231.111.148 -> 94.231.111.149
But ICMP the icmp packet is not getting filtered.
If I do
cat /proc/net/pf_ring/2965-rt1.53
Bound Device(s) : rt1
Active : 1
Breed : Non-DNA
Sampling Rate : 1
Capture Direction : RX only
Socket Mode : RX+TX
Appl. Name : snort-cluster-10-socket-0
IP Defragment : No
BPF Filtering : Disabled
# Sw Filt. Rules : 1
# Hw Filt. Rules : 0
Poll Pkt Watermark : 128
Num Poll Calls : 151
Channel Id Mask : 0xFFFFFFFF
Cluster Id : 10
Slot Version : 15 [5.6.1]
Min Num Slots : 4872
Bucket Len : 1514
Slot Len : 1720 [bucket+header]
Tot Memory : 8388608
Tot Packets : 44
Tot Pkt Lost : 0
Tot Insert : 44
Tot Read : 44
Insert Offset : 14888
Remove Offset : 14888
TX: Send Ok : 41
TX: Send Errors : 0
Reflect: Fwd Ok : 0
Reflect: Fwd Errors: 0
Num Free Slots : 4872
I can now see a sw filter
Sw Filt. Rules : 1
Why I traffic not getting blocked?
Med venlig hilsen | Best regards
Thomas Raabo
Netværksansvarlig CCIE #33466
Zitcom A/S
So I do
modprobe pf_ring enable_tx_capture=0 transparent_mode=1 min_num_slots=16384
snort -c /etc/snort/snort.conf -y -i rt1:rt3 --daq-dir /usr/local/lib/daq --daq pfring --daq-var clusterid=10,11 --daq-mode inline -Q
And everything seems to start fine.
pfring DAQ configured to inline.
rt1 <-> rt3
Acquiring network traffic from "rt1:rt3".
Reload thread starting...
Reload thread started, thread 0x7f8a2bd7b700 (2348)
I´ve then made a ICMP drop rule to test the IPS filtering.
I see the rule hitting
11/08/13-10:44:23.168517 [Drop] [**] [1:10000001:12] ICMP test [**] [Priority: 0] {ICMP} 94.231.111.148 -> 94.231.111.149
But ICMP the icmp packet is not getting filtered.
If I do
cat /proc/net/pf_ring/2965-rt1.53
Bound Device(s) : rt1
Active : 1
Breed : Non-DNA
Sampling Rate : 1
Capture Direction : RX only
Socket Mode : RX+TX
Appl. Name : snort-cluster-10-socket-0
IP Defragment : No
BPF Filtering : Disabled
# Sw Filt. Rules : 1
# Hw Filt. Rules : 0
Poll Pkt Watermark : 128
Num Poll Calls : 151
Channel Id Mask : 0xFFFFFFFF
Cluster Id : 10
Slot Version : 15 [5.6.1]
Min Num Slots : 4872
Bucket Len : 1514
Slot Len : 1720 [bucket+header]
Tot Memory : 8388608
Tot Packets : 44
Tot Pkt Lost : 0
Tot Insert : 44
Tot Read : 44
Insert Offset : 14888
Remove Offset : 14888
TX: Send Ok : 41
TX: Send Errors : 0
Reflect: Fwd Ok : 0
Reflect: Fwd Errors: 0
Num Free Slots : 4872
I can now see a sw filter
Sw Filt. Rules : 1
Why I traffic not getting blocked?
Med venlig hilsen | Best regards
Thomas Raabo
Netværksansvarlig CCIE #33466
Zitcom A/S
livio
Nov 15, 2013, 3:14:52 PM11/15/13
to meta...@googlegroups.com
If you want to do a L3 IPS you need to use NFQ; but then you cannot parallelize. If you want to do high speed with PF_RING you need to do bridging.
Reply all
Reply to author
Forward
0 new messages