Re: Snort 2.9.5 / PFRing

["Welters, Jon (LARC-B703)[LITES]" <jonathan.a.welters () nasa gov>]

I went ahead and ran the pfcount userland app on the interface snort is monitoring and it lists all of the packets as 
filtered.

This has got to be connected to my problem, however I'm not sure where to start troubleshooting, can someone point me 
in the right direction?

One other data point:
/usr/local/src/PF_RING-5.6.0/userland/examples/pfcount -i eth4


=========================
Absolute Stats: [527277 pkts rcvd][527277 pkts filtered][0 pkts dropped]
Total Pkts=527277/Dropped=0.0 %
527'277 pkts - 620'476'946 bytes [35'145.43 pkt/sec - 330.86 Mbit/sec]
=========================
Actual Stats: 31722 pkts [1'000.19 ms][31'715.78 pps/0.30 Gbps]
=========================

=========================
Absolute Stats: [560410 pkts rcvd][560410 pkts filtered][0 pkts dropped]
Total Pkts=560410/Dropped=0.0 %
560'410 pkts - 661'596'431 bytes [35'019.27 pkt/sec - 330.74 Mbit/sec]
=========================
Actual Stats: 33133 pkts [1'000.18 ms][33'126.90 pps/0.33 Gbps]

Thank You and Sincerely,
Jon

From: Welters, Jon (LARC-B703)[LITES] [mailto:jonathan.a.welters () nasa gov]
Sent: Monday, August 26, 2013 4:44 PM
To: Russ Combs
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort 2.9.5 / PFRing

All,

I went ahead and redid the below. With the newest release of 2.9.5 and with PF Ring 5.6.0.

I'm starting snort with the following options:
/usr/local/bin/snort -c /etc/snort/snort.conf -A console -y -i eth4 --daq-dir /usr/local/lib/daq/ --daq pfring 
--daq-var clusterid=20 --pid-path=/tmp/snort0 --daq-var bindcpu=0 -l /var/log/snort/logs/0 --create-pidfile 
--pid-path=/var/run/snort/0 --daq-mode passive

In production there's a script that deals with managing the multiple snort and barnyard processes. We've gone through 
many upgrades without issue, this jump just seems to be causing some headaches.

It's odd, because I do get data:
Snort ran for 0 days 0 hours 16 minutes 45 seconds
Aug 26 15:12:10 IDS1 snort[20442]:    Pkts/min:            0
Aug 26 15:12:10 IDS1 snort[20442]:    Pkts/sec:            0
Aug 26 15:12:10 IDS1 snort[20442]: ===============================================================================
Aug 26 15:12:10 IDS1 snort[20442]: Packet I/O Totals:
Aug 26 15:12:10 IDS1 snort[20442]:    Received:            0
Aug 26 15:12:10 IDS1 snort[20442]:    Analyzed:            0 (  0.000%)
Aug 26 15:12:10 IDS1 snort[20442]:     Dropped:     18140239 (100.000%)
Aug 26 15:12:10 IDS1 snort[20442]:    Filtered:            0 (  0.000%)
Aug 26 15:12:10 IDS1 snort[20442]: Outstanding:            0 (  0.000%)
Aug 26 15:12:10 IDS1 snort[20442]:    Injected:            0
Aug 26 15:12:10 IDS1 snort[20442]: ===============================================================================
Aug 26 15:12:10 IDS1 snort[20442]: Breakdown by protocol (includes rebuilt packets):

PFRing is obviously doing something, Snort just isn't "accepting" the data. This is not behavior I've seen before.  
When I start Snort with the script I've always used I do see multiple processes running consuming resources and created 
unified2 files. No data ever goes into the files though, given that snort seems to be dropping 100% of the packets.

It's like Snort is seeing the data but refusing to accept it.

Any ideas ?


Thank You and Sincerely,
Jon Welters

From: Russ Combs [mailto:rcombs () sourcefire com]
Sent: Monday, August 05, 2013 10:30 AM
To: Welters, Jon (LARC-B703)[LITES]
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Snort 2.9.5 / PFRing


On Thu, Jul 25, 2013 at 8:50 PM, Welters, Jon (LARC-B703)[LITES] <jonathan.a.welters () nasa 
gov<mailto:jonathan.a.welters () nasa gov>> wrote:
All,

I've been running snort with pfring for some time now successfully and haven't had many problems. Yesterday I compiled 
Snort 2.9.5 on our test box using the same flag I always have -prefix=/usr/local/snort-2.9.5 then I started snort as 
usual and it sees packets flowing through and drops 100%.

Since we retain the old installations and just repoint a symlink I went ahead and pointed back to the old release, 
which worked fine. I then went ahead and compiled the newest PFRing, tested with 2.9.5 to find that it still wasn't 
working. Switched back to 2.9.4 with the same configuration and it worked. The only thing that changed was the compiled 
snort, pfring remained the same

I double checked the config log and in 2.9.4 I did not add any flags other then the prefix.

Has anyone else experienced this sort of issue ?

Which PF_RING DAQ version do you have?  There was an incompatibility with 2.9.5 Snort fixed with the 5.6.0 PF_RING 
available here:  http://sourceforge.net/projects/ntop/files/PF_RING/.


-          Jon


------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent
caught up. So what steps can you take to put your SQL databases under
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!