Hello snort / pf_ring experts,
I am struggling in pf_ring implementation on snort (2.9.11) in inline mode.
Pf_ring (latest version github)
All installed from source.
No problems with configure, make, make install etc. Everything installs fine.
If I use afpacket in snort as daq module everything works as expected but with
pf_ring the following occurs in inline mode
In ip blacklist a single ip address : 194.109.6.102 (= sftp.xs4all.nl)
If I do a ping to 194.109.6.102 all packets are correctly blocked
If I do a “telnet 194.109.6.102 22” the following happens:
The first (TCP SYN) packet is correctly dropped, however when the 2nd SYN
packet is sent (due to the timeout of the first) it is passed and all
subsequent packets (of THIS flow are also passed !)
Example on the client:
ping sftp.xs4all.nl
[root@centos-base-88 ~]# ping sftp.xs4all.nl
PING sftp.xs4all.nl (194.109.6.102) 56(84) bytes of data.
^C^C
--- sftp.xs4all.nl ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 5999ms
So everything is blocked, on the snort console we see:
10/22-22:05:17.265332 [Drop] [**] [136:1:1] (spp_reputation) packets
blacklisted [**] [Classification: Potentially Bad Traffic] [Priority: 2] {ICMP}
192.168.63.89 -> 194.109.6.102
10/22-22:05:18.265245 [Drop] [**] [136:1:1] (spp_reputation) packets
blacklisted [**] [Classification: Potentially Bad Traffic] [Priority: 2] {ICMP}
192.168.63.89 -> 194.109.6.102
10/22-22:05:19.265234 [Drop] [**] [136:1:1] (spp_reputation) packets
blacklisted [**] [Classification: Potentially Bad Traffic] [Priority: 2] {ICMP}
192.168.63.89 -> 194.109.6.102
10/22-22:05:20.265245 [Drop] [**] [136:1:1] (spp_reputation) packets
blacklisted [**] [Classification: Potentially Bad Traffic] [Priority: 2] {ICMP}
192.168.63.89 -> 194.109.6.102
10/22-22:05:21.265225 [Drop] [**] [136:1:1] (spp_reputation) packets
blacklisted [**] [Classification: Potentially Bad Traffic] [Priority: 2] {ICMP}
192.168.63.89 -> 194.109.6.102
10/22-22:05:22.265222 [Drop] [**] [136:1:1] (spp_reputation) packets
blacklisted [**] [Classification: Potentially Bad Traffic] [Priority: 2] {ICMP}
192.168.63.89 -> 194.109.6.102
So that’s ok
Now a tcp session:
[root@centos-base-88 ~]# telnet sftp.xs4all.nl 22
Trying 194.109.6.102...
Connected to sftp.xs4all.nl.
Escape character is '^]'.
SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
^]
telnet> q
Connection closed.
As you can see the session is opened (answer from ssh server)
On the snort console we see:
10/22-22:06:22.493020 [Drop] [**] [136:1:1] (spp_reputation) packets
blacklisted [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.63.89:55258 -> 194.109.6.102:22
With tcpdump on client we see the following:
14:39:51.080544 IP 192.168.63.89.55226 > sftp.xs4all.nl.ssh: Flags [S], seq
2360602834, win 29200, options [mss 1460,sackOK,TS val 1538492023 ecr
0,nop,wscale 7], length 0
14:39:52.080915 IP 192.168.63.89.55226 > sftp.xs4all.nl.ssh: Flags [S], seq
2360602834, win 29200, options [mss 1460,sackOK,TS val 1538493024 ecr
0,nop,wscale 7], length 0
14:39:52.183534 IP sftp.xs4all.nl.ssh > 192.168.63.89.55226: Flags [S.], seq
490682614, ack 2360602835, win 28960, options [mss 1460,sackOK,TS val
2525301259 ecr 1538493024,nop,wscale 7], length 0
14:39:52.183573 IP 192.168.63.89.55226 > sftp.xs4all.nl.ssh: Flags [.], ack 1,
win 229, options [nop,nop,TS val 1538493126 ecr 2525301259], length 0
14:39:52.383808 IP sftp.xs4all.nl.ssh > 192.168.63.89.55226: Flags [P.], seq
1:40, ack 1, win 227, options [nop,nop,TS val 2525301312 ecr 1538493126],
length 39
14:39:52.383829 IP 192.168.63.89.55226 > sftp.xs4all.nl.ssh: Flags [.], ack 40,
win 229, options [nop,nop,TS val 1538493326 ecr 2525301312], length 0
(time stamps is different, I know)
The first packet is dropped, but the second apparently is passed as a answer
(packet 3) is coming in.
And the flow is established.
As far as I understand pf_ring should :
1. give the first packet to snort
2. snort tells pf_ring to drop the packet
3. pf_ring should automatically drop the WHOLE flow
In my opinion (3) is not happening, instead of dropping the rest of the flow is
forwarded.
I also tested with the parameter : --daq-var no-kernel-filters
Same result (--daq-var no-kernel-filters) this should tell the driver to
deliver every packet to snort, to have snort decide for EVERY packet what to do.
Anyway I am out of ideas what is the root of this problem, so I hope somebody
can give me a hint in the right direction ….:-
Additional info:
Pf_ring init:
/sbin/rmmod pf_ring
/sbin/insmod
/usr/lib/modules/3.10.0-693.2.2.el7.x86_64/kernel/net/pf_ring/pf_ring.ko
enable_tx_capture=0
Snort start:
/usr/local/bin/snort -A console --daq-dir=/usr/local/lib/daq --daq pfring -c
/etc/snort/snort.conf -i eth1:eth2 -Q --daq-var watermark=10 --daq-var
timeout=10
(watermark and timeout is needed, is also a little strange in my opinion as I
do not see those parameters in many examples, if I don’t use it, a single ping
will have a turnaround time of 2000 milli seconds. (the time pf_ring waits
before delivering the packet over to snort ?)
[root@vsnort-82 ~]# modinfo pf_ring
filename:
/lib/modules/3.10.0-693.2.2.el7.x86_64/kernel/net/pf_ring/pf_ring.ko
alias: net-pf-27
version: 6.7.0
description: Packet capture acceleration and analysis
author: ntop.org
license: GPL
rhelversion: 7.4
srcversion: F09B35D96D194DD7F0BA4ED
depends:
vermagic: 3.10.0-693.2.2.el7.x86_64 SMP mod_unload modversions
parm: min_num_slots:Min number of ring slots (uint)
parm: perfect_rules_hash_size:Perfect rules hash size (uint)
parm: enable_tx_capture:Set to 1 to capture outgoing packets (uint)
parm: enable_frag_coherence:Set to 1 to handle fragments (flow
coherence) in clusters (uint)
parm: enable_ip_defrag:Set to 1 to enable IP defragmentation(only rx
traffic is defragmentead) (uint)
parm: quick_mode:Set to 1 to run at full speed but with upto one
socket per interface (uint)
parm: force_ring_lock:Set to 1 to force ring locking (automatically
enable with rss) (uint)
parm: enable_debug:Set to 1 to enable PF_RING debug tracing into the
syslog, 2 for more verbosity (uint)
parm: transparent_mode:(deprecated) (uint)
[root@vsnort-82 ~]#
[root@vsnort-82 ~]# cat /proc/net/pf_ring/info
PF_RING Version : 6.7.0 (dev:24c5d32df0e72fac912f9d366b00d9b49da73e60)
Total rings : 2
Standard (non ZC) Options
Ring slots : 4096
Slot version : 16
Capture TX : No [RX only]
IP Defragment : No
Socket Mode : Standard
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
[root@vsnort-82 ~]#
Many thanks in advance,
Anton van der leun
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
