Hi Alfredo,
Your previous mail was informative, my query is i would like to block
some of the urls viz facebook,youtube,etc ..,within the network.I
configured my server at router level and client machines were connected to
this server. Those machines should not allowed to access specified urls. I
would like to achieve this using pf_ring without any packet loss.
09/28-14:23:45.058089 [Drop] [**] [1:200001:1] Facebook is Blocked [**]
[Priority: 1]
i am getting this alert on the server machine but the client could access
the website.
Previously, i could achieve this using daq -nfq module.
Thanks,
Evani
On Mon, Sep 28, 2015 at 1:03 PM, Alfredo Cardigliano <cardigli...@ntop.org>
wrote:
> Hi Evani
> “Pkts Drop” are packet lost on the capture side due to weak processing
> power, thus the fact it is 0 is good.
> You should look at “Verdicts:”, the “Block” item. Those are packets
> discarded because they are bad packets.
>
> Alfredo
>
> On 28 Sep 2015, at 09:24, Evani Sitaram <evanira...@gmail.com> wrote:
>
> Hello Alfredo,
> As per your suggestion, i have executed command of snort with
> daq-pfring , i'm getting the following results but the packets are not
> being dropped (Pkts Drop: 0).
>
> Command :
> *snort --daq-dir=/usr/local/lib/daq --daq pfring -c /etc/snort.conf
> -i ethX:ethY -e -Q*
>
> Snort Realtime Performance
> --------------------------
> Pkts Recv: 18707
> Pkts Drop: 0
> % Dropped: 0.000%
> Block Verdict: 1409
> Injected: 0
> Pkts Filtered TCP: 0
> Pkts Filtered UDP: 0
>
>
> my snort rule is :
>
> drop tcp any any -> any any ( content : "facebook" ; msg :
> "Facebook is Blocked" ; sid : 200001 ; rev : 1;react:block;).
>
> I am attaching screen shot of the log data.kindly review it. Any help
> you can provide will be extremely appreciated.
>
> Action Stats :
> Alerts : 22( 0.047%)
> Logged : 22( 0.047%)
> Passed : 22( 0.047%)
>
> Limits :
> Match : 0
> Queue : 0
> Log : 4
> Event : 0
> Alert : 0
>
> Verdicts :
> Allow : 36191 (76.891%)
> Block : 4534 (9.633%)
> Replace : 0
> *Whitelist: 599(1.273%)*
> * Blackllist: 5744(12.204%)*
> Thanks,
> Evani Ram
>
> On Mon, Sep 28, 2015 at 12:42 PM, Evani Sitaram <evanira...@gmail.com>
> wrote:
>
>> Hello Alfredo,
>> As per your suggestion, i have executed command of snort with
>> daq-pfring , i'm getting the following results but the packets are not
>> being dropped (Pkts Drop: 0).
>>
>> Command :
>> *snort --daq-dir=/usr/local/lib/daq --daq pfring -c /etc/snort.conf
>> -i ethX:ethY -e -Q*
>>
>> Snort Realtime Performance
>> --------------------------
>> Pkts Recv: 18707
>> Pkts Drop: 0
>> % Dropped: 0.000%
>> Block Verdict: 1409
>> Injected: 0
>> Pkts Filtered TCP: 0
>> Pkts Filtered UDP: 0
>>
>>
>> my snort rule is :
>>
>> drop tcp any any -> any any ( content : "facebook" ; msg :
>> "Facebook is Blocked" ; sid : 200001 ; rev : 1;react:block;).
>>
>> I am attaching screen shot of the log data.kindly review it. Any help
>> you can provide will be extremely appreciated.
>>
>>
>> Thanks,
>> Evani Ram
>>
>> On Mon, Sep 28, 2015 at 12:36 PM, Evani Sitaram <evanira...@gmail.com>
>> wrote:
>>
>>> Hello Alfredo,
>>> As per your suggestion, i have executed command of snort
>>> with daq-pfring , i'm getting the following results but the packets are not
>>> being dropped (Pkts Drop: 0).
>>>
>>> Command :
>>> *snort --daq-dir=/usr/local/lib/daq --daq pfring -c /etc/snort.conf
>>> -i ethX:ethY -e -Q*
>>>
>>> Snort Realtime Performance
>>> --------------------------
>>> Pkts Recv: 18707
>>> Pkts Drop: 0
>>> % Dropped: 0.000%
>>> Block Verdict: 1409
>>> Injected: 0
>>> Pkts Filtered TCP: 0
>>> Pkts Filtered UDP: 0
>>>
>>>
>>> my snort rule is :
>>>
>>> drop tcp any any -> any any ( content : "facebook" ; msg :
>>> "Facebook is Blocked" ; sid : 200001 ; rev : 1;react:block;).
>>>
>>> I am attaching screen shot of the log data.kindly review it. Any help
>>> you can provide will be extremely appreciated.
>>>
>>>
>>> Thanks,
>>> Evani Ram
>>>
>>> On Thu, Sep 24, 2015 at 9:52 AM, Evani Sitaram <evanira...@gmail.com>
>>> wrote:
>>>
>>>> Hello Alfredo,
>>>>
>>>> Currently what I doing is I am running snort to verify the packets
>>>> and if any packets match my snort rules then I am are using pfring to drop
>>>> the packets(move them to a folder, this is what I mean by fails to drop) so
>>>> that i can perform some analysis on these packets. However currently I am
>>>> able to do so with DAQ but not with PFRING. Is this currently possible
>>>> with PFRING? Can you please provide me with some insight in this matter as
>>>> we would like to use this product to finish configuring my system. Any help
>>>> you can provide will be extremely appreciated.
>>>>
>>>> Thanks
>>>> Evani
>>>>
>>>> On Wed, Sep 23, 2015 at 5:53 PM, Alfredo Cardigliano <
>>>> cardigli...@ntop.org> wrote:
>>>>
>>>>> Evani
>>>>> if you run snort in ips mode (for instance I usually use --daq pfring
>>>>> --daq-mode inline -i ethX:ethY), the pfring-daq
>>>>> will not forward packets when snort returns a negative verdict, I do
>>>>> not know what you mean with “fails to drop”.
>>>>>
>>>>> Alfredo
>>>>>
>>>>> On 23 Sep 2015, at 14:12, Evani Sitaram <evanira...@gmail.com> wrote:
>>>>>
>>>>> Hi Alfredo,
>>>>> Sorry for the trouble ,As per your suggestion i tired to configure
>>>>> daq_pfring (daq_pfring.so and daq_pfring.la) and snort IPS mode i was
>>>>> only able to capture packets but snort fails to drop the packets inline.
>>>>>
>>>>> Command for running Snort in IPS mode (daq_pfring) :
>>>>>
>>>>> *snort --daq-dir=/usr/local/lib/daq --daq pfring -i ethX:ethY -e -Q*
>>>>>
>>>>> Thanks And Regards,
>>>>> Evani Ram
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Sep 23, 2015 at 3:39 PM, Alfredo Cardigliano <
>>>>> cardigli...@ntop.org> wrote:
>>>>>
>>>>>> Hi Evani
>>>>>> as I said just use our daq in ips mode.
>>>>>>
>>>>>> Alfredo
>>>>>>
>>>>>> On 23 Sep 2015, at 12:01, Evani Sitaram <evanira...@gmail.com> wrote:
>>>>>>
>>>>>> Hello Alfredo,
>>>>>> Thank you for the timely reply, I am able to drop the packets
>>>>>> using DAQ module (NFQ) with Snort IPS . For example , if i want to
>>>>>> block/drop traffic to a site (facebook , youtube ,etc) i am able to do it
>>>>>> with DAQ(NFQ) module.Now, is there any possibility to drop packets
>>>>>> with pf_ring along with Snort IPS.
>>>>>>
>>>>>>
>>>>>> lspci | grep Eth
>>>>>>
>>>>>> 01:00.0 Ethernet controller: Intel Corporation 82571EB Gigabit
>>>>>> Ethernet Controller (rev 06)
>>>>>> 01:00.1 Ethernet controller: Intel Corporation 82571EB Gigabit
>>>>>> Ethernet Controller (rev 06)
>>>>>> 02:00.0 Ethernet controller: Intel Corporation 82571EB Gigabit
>>>>>> Ethernet Controller (rev 06)
>>>>>> 02:00.1 Ethernet controller: Intel Corporation 82571EB Gigabit
>>>>>> Ethernet Controller (rev 06)
>>>>>> 04:00.0 Ethernet controller: Qualcomm Atheros Killer E2200 Gigabit
>>>>>> Ethernet Controller (rev 13) ( I am not using this last Ethernet
>>>>>> Controller)
>>>>>>
>>>>>> On Wed, Sep 23, 2015 at 1:33 PM, Alfredo Cardigliano <
>>>>>> cardigli...@ntop.org> wrote:
>>>>>>
>>>>>>>
>>>>>>> On 23 Sep 2015, at 06:54, Evani Sitaram <evanira...@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>> i am Evani Ram,i am working for my final year project and i am
>>>>>>> new to pf_ring and snort , i have a couple of queries regarding pf_ring.
>>>>>>>
>>>>>>> 1) Firstly, is it possible to drop packets using pf_ring ? if yes,
>>>>>>> how to configure pf_ring in order to drop packets. (alert is working in
>>>>>>> pf_ring)
>>>>>>>
>>>>>>> i am using this command to drop the packets but its only capture
>>>>>>> the packets and logging. i am using pf_ring aware driver.
>>>>>>>
>>>>>>> Command :
>>>>>>> * /snort/bin/snort -Q -c /snort/etc/snort.conf -d
>>>>>>> --treat-drop-as-alert --daq pfring --daq-dir /pfring/lib/daq -l /logs -i
>>>>>>> eth0:eth1 &*
>>>>>>>
>>>>>>>
>>>>>>> Do you mean you want to use it inline dropping packets? You just
>>>>>>> need to run snort in IPS mode using our DAQ module, please take a look
>>>>>>> at
>>>>>>> the README
>>>>>>>
>>>>>>> 2) Secondly, what is the hardware architecture supported for using
>>>>>>> pf_ring and can you suggest minimum required configuration for dropping
>>>>>>> packets.
>>>>>>>
>>>>>>>
>>>>>>> With standard drivers you can use any NIC, almost all Intel NICs are
>>>>>>> also supported in Zero-Copy mode for line-rate.
>>>>>>>
>>>>>>> ( i am using using *Intel PRO /1000 PT DUAL PORT* NiC card for
>>>>>>> traffic flow)
>>>>>>>
>>>>>>>
>>>>>>> Can I see "lspci | grep Eth"?
>>>>>>>
>>>>>>> Regards
>>>>>>> Alfredo
>>>>>>>
>>>>>>>
>>>>>>> Thanks And Regards,
>>>>>>> Evani Ram.
>>>>>>> _______________________________________________
>>>>>>> Ntop-misc mailing list
>>>>>>> Ntop-misc@listgateway.unipi.it
>>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Ntop-misc mailing list
>>>>>>> Ntop-misc@listgateway.unipi.it
>>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Ntop-misc mailing list
>>>>>> Ntop-misc@listgateway.unipi.it
>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Ntop-misc mailing list
>>>>>> Ntop-misc@listgateway.unipi.it
>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Ntop-misc mailing list
>>>>> Ntop-misc@listgateway.unipi.it
>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Ntop-misc mailing list
>>>>> Ntop-misc@listgateway.unipi.it
>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>>>
>>>>
>>>>
>>>
>>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
