Snort mailing list archives

Re: PF_RING and DNA with Snort

From: Scott Finlon <scott.finlon () scranton edu>
Date: Fri, 16 Aug 2013 18:05:27 +0000

If you are actually using DNA, you need to specify that in your interface
list.
Instead of eth0:eth1, it would be dna0:dna1.
When you install the DNA drivers, it modifies the interface names.

Scott Finlon, CISSP, GCIA
-----------------------------------
Information Security Engineer
The University of Scranton
email : scott.finlon () scranton edu
phone : 570-941-6168
-----------------------------------






On 8/16/13 1:35 PM, "Avery Rozar" <Avery.Rozar () i-techsupport com> wrote:

I finally got snort running with pf_ring daq.

/usr/sbin/snort -Q -D -i eth0:eth1 -u snort -g snort -c
/etc/snort/snort.conf -l /var/log/snort


But it's not passing any traffic. If I use afpacket, it works as expected.

I'm running snort as a daemon, but I get the same when I run it form the
command line. I installed the driver from the following directory.

/PF_RING-5.6.0/drivers/PF_RING_aware/intel/igb/igb-4.1.2/src/

Here is my daq from fog fronn snort.conf

config daq: pfring
config daq_dir: /usr/local/lib/daq
config daq_mode: inline
config daq_var: clusterid=10,11,12,13


snort --daq-list=/usr/local/lib/daq/

Available DAQ modules:
pfring(v1): live inline multi unpriv
pcap(v3): readback live multi unpriv
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv
afpacket(v4): live inline multi unpriv



This is from /etc/sysconfig/snort

QUEUE=1
INTERFACE=eth0:eth1
CONF=/etc/snort/snort.conf


pf_ring module that was loaded

pf_ring.ko enable_tx_capture=1 min_num_slots=8192 transparent_mode=2


Output from pfcount

./pfcount -i eth0

Using PF_RING v.5.6.0
Capturing from eth0 [00:E0:ED:25:A8:48][ifIndex: 8]
# Device RX channels: 1
# Polling threads:    1
Dumping statistics on /proc/net/pf_ring/stats/6244-eth0.14
=========================
Absolute Stats: [0 pkts rcvd][0 pkts filtered][0 pkts dropped]
Total Pkts=0/Dropped=0.0 %
0 pkts - 0 bytes
=========================

=========================
Absolute Stats: [1 pkts rcvd][1 pkts filtered][0 pkts dropped]
Total Pkts=1/Dropped=0.0 %
1 pkts - 84 bytes [1.00 pkt/sec - 0.00 Mbit/sec]
=========================
Actual Stats: 1 pkts [1'000.09 ms][1.00 pps/0.00 Gbps]
=========================

=========================
Absolute Stats: [2 pkts rcvd][2 pkts filtered][0 pkts dropped]
Total Pkts=2/Dropped=0.0 %
2 pkts - 168 bytes [1.00 pkt/sec - 0.00 Mbit/sec]
=========================
Actual Stats: 1 pkts [1'000.09 ms][1.00 pps/0.00 Gbps]
=========================

=========================
Absolute Stats: [3 pkts rcvd][3 pkts filtered][0 pkts dropped]
Total Pkts=3/Dropped=0.0 %
3 pkts - 252 bytes [1.00 pkt/sec - 0.00 Mbit/sec]
=========================
Actual Stats: 1 pkts [1'000.08 ms][1.00 pps/0.00 Gbps]
=========================







On 8/15/13 1:51 PM, "Avery Rozar" <Avery.Rozar () i-techsupport com> wrote:

Yea I did see that this morning as I read the prerequisites. Thanks for
your help, I did get pf_ring working properly. Now I just think I'm
having
issues with the Silicom card, I'm not passing traffic..


On 8/15/13 1:41 PM, "Tim Covel" <tcovel () metaflows com> wrote:

I'm pretty sure you still need the normal daq installed, it's listed as
prerequisite for the pfring-daq-module. Also the normal daq install
provides other modules, such as afpacket, which can be really useful in
testing.

-Tim

On 08/15/2013 04:12 AM, Avery Rozar wrote:

Thanks Tim.

Do you know if its still necessary to install daq 2.0.1, or should I
just
used the daq install from "PF_RING/userland/snort/pfring-daq-module/"?

Thanks.

On 8/14/13 4:26 PM, "Tim Covel" <tcovel () metaflows com> wrote:

It looks like in newer versions of PF_RING you have to specify
multiple
clusterid values when using inline mode:

pfring-daq-module/README.1st suggests: "--daq-var clusterid=10,11" in
the IPS example.

and also explains the clusterid var as:
"--daq-var clusterid=<comma separated id list>
where an id is a number (i.e. the clusterId), one for each
interface."

It also looks like you are not currently using DNA interfaces, you
need
to make sure to load the correct driver (PF_RING/drivers/DNA/<driver
version>) and start snort using the DNA interfaces the driver creates
if
you want to use DNA.

-Tim

On 08/14/2013 12:18 PM, Avery Rozar wrote:

Is there an up to date example of using pfring, and dan with Snort?

I used the metaflows example, and am running into issues when trying
to
run snort

Using this I get an error
snort -c /etc/snort/snort.conf -A console -y -i eth0:eth1 --daq-dir
/usr/local/lib/daq --daq pfring --daq-var clusterid=10 --daq-mode
inline
Q

pfring DAQ configured to inline.
eth0 <-> eth1
ERROR: Can't initialize DAQ pfring (-1) - pfring_daq_initialize: not
enough cluster ids (1)

Fatal Error, Quitting..


And using this I get an error
snort -c /etc/snort/snort.conf -A console -y -i eth0:eth1 --daq-dir
/usr/local/lib/daq --daq pfring --daq-mode inline Q

pfring DAQ configured to inline.
eth0 <-> eth1
ERROR: Can't initialize DAQ pfring (-1) -
Fatal Error, Quitting..


Any help would be great!



---------------------------------------------------------------------
-
-
--
-----
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.


http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.
c
l
kt
rk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!



----------------------------------------------------------------------
-
-
--
----
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.

http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.c
l
k
tr
k
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!


-------------------------------------------------------------------------
-
----
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clkt
r
k
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!


--------------------------------------------------------------------------
----
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktr
k
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!


------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

PF_RING and DNA with Snort Avery Rozar (Aug 14)
- Re: PF_RING and DNA with Snort Tim Covel (Aug 14)
  - Re: PF_RING and DNA with Snort Avery Rozar (Aug 15)
    - Re: PF_RING and DNA with Snort Tim Covel (Aug 15)
    - Re: PF_RING and DNA with Snort Avery Rozar (Aug 15)
    - Re: PF_RING and DNA with Snort Avery Rozar (Aug 16)
    - Re: PF_RING and DNA with Snort Scott Finlon (Aug 16)
    - Re: PF_RING and DNA with Snort Avery Rozar (Aug 16)
    - Message not available
    - Re: PF_RING and DNA with Snort Y M (Aug 16)
    - Re: PF_RING and DNA with Snort Avery Rozar (Aug 16)
    - Re: PF_RING and DNA with Snort Avery Rozar (Aug 16)