[Snort-devel] Snort 3 netmap cant access gateway on FREEBSD

Michael Altizer mialtize at cisco.com
Fri Nov 2 13:21:09 EDT 2018


Re-reading your earlier email, it looks like you're trying to run this 
inline on some interfaces attached to different subnets, even with IPs 
on them.  Don't do that, netmap bridging is L2 and not designed for that.

On 11/02/2018 01:08 PM, Michael Altizer via Snort-devel wrote:
> For reference, I just tested on FreeBSD 11.2 with LibDAQ 2.2.2 and the 
> latest Snort3 code and it's working fine here.  Conveniently, you 
> don't even have to recompile the kernel anymore since I first wrote 
> those instructions - netmap is built in and working.
>
> Steps (my two interfaces being bridged in inline mode are em0 and em1, 
> I installed things into /root/install/...):
> 1. Build and install libdaq 2.2.2
> 2. Build and install snort3
> 3. ifconfig em0 up promisc -lro
> 4. ifconfig em1 up promisc -lro
> 5. export LUA_PATH='/root/install/snort3/include/snort/lua/?.lua;;'
> 6. export SNORT_LUA_PATH=/root/install/snort3/etc/snort/
> 7. /root/install/snort3/bin/snort --daq-dir /root/install/daq/lib/daq/ 
> --daq netmap -i em0:em1 -Q -c /root/install/snort3/etc/snort/snort.lua
>
> I had no issues passing traffic across the FreeBSD device between two 
> other devices on the same subnet.  It seems we'd need more details to 
> help you.  The Snort shutdown stats like Masud suggested would be helpful.
>
> On 11/02/2018 11:51 AM, Masud Hasan (mashasan) via Snort-devel wrote:
>> Hi,
>>
>> Would you kindly provide Snort shutdown stats to find what shows 
>> during exit.
>>
>>> On Nov 1, 2018, at 5:35 AM, yunus.can at arjeta.com.tr 
>>> <mailto:yunus.can at arjeta.com.tr> wrote:
>>>
>>>
>>> hello;
>>>
>>> We removed lro/gro and enable promiscuous mode and running snort 
>>> em1:em2 inline mode with daq netmap
>>>
>>> then All traffic breaking down to Gateway  example;  ping, ssh, 
>>> internet connection
>>>
>>> cant access (em1 connected computer(192.168.1.12))  ----> 
>>> 192.168.1.1 (gateway)
>>> and cant access (em2 connected different computer(192.168.2.45)) 
>>> ---> 192.168.2.1 (gateway)
>>> we have problem but I cant find :S
>>> FreeBSD Version : FreeBSD snort.test 11.2-RELEASE-p4
>>> Snort Version : Version 3.0.0 (Build 247) FreeBSD
>>> 31.10.2018, 18:53, "Masud Hasan (mashasan)" <mashasan at cisco.com 
>>> <mailto:mashasan at cisco.com>>:
>>>> Please turn promiscuous mode on and LRO/GRO off for both of the 
>>>> interface-pair (em1 and em2) as root. Before running snort, please 
>>>> make sure you can reach any machine on the LAN where em2 is 
>>>> connected. After running snort with em1:em2 inlined, you should be 
>>>> able to reach that LAN from the LAN where em1 is connected.
>>>> You can also enable debug adding "--daq-var debug" to the snort 
>>>> command and adding rc_debug="YES" in the rc.conf file.
>>>> If netmap does not work, do other daq mode works? Here is an 
>>>> example for Ubuntu:
>>>> http://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/
>>>> Also, are you on latest FreeBSD with updated netmap, since I find 
>>>> some online forums discussing issues with older netmap builds.
>>>> Thanks,
>>>> Masud
>>>>> On Oct 31, 2018, at 5:58 AM, yunus.can at arjeta.com.tr 
>>>>> <mailto:yunus.can at arjeta.com.tr> wrote:
>>>>> Hello;
>>>>> We are reagain install snort netmap mode. because ipfw mode not 
>>>>> yet supported multithreading
>>>>> *rc.conf ----> network configuration*
>>>>> ifconfig_em0="DHCP" ---->internet uplink      subnet -> 
>>>>> (192.168.254.1/24) dhcp lease
>>>>> ifconfig_em1="inet 192.168.1.1 netmask 255.255.255.0"
>>>>> ifconfig_em2="inet 192.168.2.1 netmask 255.255.255.0"
>>>>>
>>>>> I was start command this :
>>>>> *ifconfig em1 promisc up*
>>>>> */usr/local/snort/bin/snort -c 
>>>>> /usr/local/snort/etc/snort/snort.lua --daq-dir /usr/local/lib/daq 
>>>>> --daq netmap -i em1 -A alert_full -Q*
>>>>> See a Error :
>>>>> netmap DAQ configured to inline.
>>>>> Commencing packet processing
>>>>> ++ [0] em1
>>>>> Can't initialize DAQ netmap (-1) - netmap_daq_initialize: Invalid 
>>>>> interface specification: 'em1'!
>>>>> -- [0] em1
>>>>> --------------------------------------------------
>>>>> Packet Statistics
>>>>> --------------------------------------------------
>>>>> Module Statistics
>>>>> --------------------------------------------------
>>>>> Summary Statistics
>>>>> --------------------------------------------------
>>>>> timing
>>>>>                   runtime: 00:00:00
>>>>>                   seconds: 0.1822
>>>>>                   packets: 0
>>>>>                  pkts/sec: 0
>>>>> o")~   Snort exiting
>>>>> AND reagain diffrerent start multiple interface command this
>>>>> *ifconfig em1 promisc up*
>>>>> */usr/local/snort/bin/snort -c 
>>>>> /usr/local/snort/etc/snort/snort.lua --daq-dir /usr/local/lib/daq 
>>>>> --daq netmap -i em1:em2 -A alert_full -Q*
>>>>> *I was see this success start message : *
>>>>> port rule counts
>>>>>              tcp     udp  icmp      ip
>>>>>      any     472       0 1       0
>>>>>    total     472       0 1       0
>>>>> --------------------------------------------------
>>>>> netmap DAQ configured to inline.
>>>>> Commencing packet processing
>>>>> ++ [0] em1:em2
>>>>> [em2]
>>>>>   nr_tx_slots: 1024
>>>>>   nr_rx_slots: 1024
>>>>>   nr_tx_rings: 1
>>>>>   [TX Ring 0]
>>>>>     buf_ofs = 7299072
>>>>>     num_slots = 1024
>>>>>     nr_buf_size = 2048
>>>>>     flags = 0x0
>>>>>   nr_rx_rings: 1
>>>>>   [RX Ring 0]
>>>>>     buf_ofs = 7372800
>>>>>     num_slots = 1024
>>>>>     nr_buf_size = 2048
>>>>>     flags = 0x0
>>>>>   memsize: 343019520
>>>>>   index:       1
>>>>>
>>>>> *BUT I cant access gateway ip address*
>>>>> 64 bytes from 192.168.1.1: icmp_seq=6157 ttl=64 time=0.264 ms
>>>>> 64 bytes from 192.168.1.1: icmp_seq=6158 ttl=64 time=0.233 ms
>>>>> 64 bytes from 192.168.1.1: icmp_seq=6159 ttl=64 time=0.325 ms
>>>>> 64 bytes from 192.168.1.1: icmp_seq=6160 ttl=64 time=0.394 ms
>>>>> 64 bytes from 192.168.1.1: icmp_seq=6161 ttl=64 time=0.354 ms
>>>>> 64 bytes from 192.168.1.1: icmp_seq=6162 ttl=64 time=0.326 ms
>>>>> 64 bytes from 192.168.1.1: icmp_seq=6163 ttl=64 time=0.332 ms
>>>>> 64 bytes from 192.168.1.1: icmp_seq=6164 ttl=64 time=0.221 ms
>>>>> 64 bytes from 192.168.1.1: icmp_seq=6165 ttl=64 time=0.339 ms
>>>>> 64 bytes from 192.168.1.1: icmp_seq=6166 ttl=64 time=0.343 ms
>>>>> 64 bytes from 192.168.1.1: icmp_seq=6167 ttl=64 time=0.398 ms
>>>>> 64 bytes from 192.168.1.1: icmp_seq=6168 ttl=64 time=0.435 ms
>>>>> 64 bytes from 192.168.1.1: icmp_seq=6169 ttl=64 time=0.410 ms
>>>>> 64 bytes from 192.168.1.1: icmp_seq=6170 ttl=64 time=0.410 ms
>>>>> 64 bytes from 192.168.1.1: icmp_seq=6171 ttl=64 time=0.383 ms
>>>>> 64 bytes from 192.168.1.1: icmp_seq=6172 ttl=64 time=0.380 ms
>>>>> 64 bytes from 192.168.1.1: icmp_seq=6173 ttl=64 time=0.313 ms
>>>>> 64 bytes from 192.168.1.1: icmp_seq=6174 ttl=64 time=0.369 ms ---> 
>>>>> *started snort inline netmap module*
>>>>> Request timeout for icmp_seq 6175
>>>>> Request timeout for icmp_seq 6176
>>>>> Request timeout for icmp_seq 6177
>>>>> Request timeout for icmp_seq 6178
>>>>> Request timeout for icmp_seq 6179
>>>>> Request timeout for icmp_seq 6180
>>>>> Request timeout for icmp_seq 6181
>>>>>
>>>>> *Freebsd Versions :*
>>>>>
>>>>> FreeBSD snort 11.2-RELEASE-p4
>>>>>
>>>>> *Snort Versions :*
>>>>>
>>>>>    ,,_     -*> Snort++ <*-
>>>>>
>>>>>   o"  )~   Version 3.0.0 (Build 247) FreeBSD
>>>>>
>>>>>    ''''    By Martin Roesch & The Snort Team
>>>>>
>>>>> http://snort.org/contact#team
>>>>>
>>>>>            Copyright (C) 2014-2018 Cisco and/or its affiliates. 
>>>>> All rights reserved.
>>>>>
>>>>>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>>>>>
>>>>>            Using DAQ version 2.2.2
>>>>>
>>>>>            Using LuaJIT version 2.0.5
>>>>>
>>>>>            Using OpenSSL 1.0.2p  14 Aug 2018
>>>>>
>>>>>            Using libpcap version 1.9.0-PRE-GIT
>>>>>
>>>>>            Using PCRE version 8.41 2017-07-05
>>>>>
>>>>>            Using ZLIB version 1.2.11
>>>>>
>>>>>            Using FlatBuffers 1.8.0
>>>>>
>>>>>            Using Hyperscan version 4.7.0 2018-10-03
>>>>>
>>>>>            Using LZMA version 5.2.3
>>>>>
>>>>> I was read this link
>>>>> https://github.com/snort3/snort3/blob/master/doc/snort_manual.html --->
>>>>> 20.13.8. Netmap Module
>>>>> 	
>>>>> 	The netmap project is a framework for very high speed packet I/O. It
>>>>> 	is available on both FreeBSD and Linux with varying amounts of
>>>>> 	preparatory setup required. Specific notes for each follow.
>>>>> 	
>>>>> 	./snort --daq netmap -i <device>
>>>>> 	[--daq-var debug]
>>>>> 	
>>>>> 	If you want to run netmap in inline mode, you must craft the device
>>>>> 	string as one or more interface pairs, where each member of a 
>>>>> pair is
>>>>> 	separated by a single colon and each pair is separated by a double
>>>>> 	colon like this:
>>>>> 	
>>>>> 	em1:em2
>>>>> 	
>>>>> 	or this:
>>>>> 	
>>>>> 	em1:em2::em3:em4
>>>>> 	
>>>>> 	Inline operation performs Layer 2 forwarding with no MAC filtering,
>>>>> 	akin to the AFPacket module’s behavior. All packets received on one
>>>>> 	interface in an inline pair will be forwarded out the other 
>>>>> interface
>>>>> 	unless dropped by the reader and vice versa.
>>>>> 	
>>>>> 	Important
>>>>> 	
>>>>> 	The interfaces will need to be up and in promiscuous mode in 
>>>>> order to
>>>>> 	function (ifconfig em1 up promisc). The DAQ module does not 
>>>>> currently
>>>>> 	do either of these configuration steps for itself.
>>>>> 	
>>>>> 	20.13.8.1. FreeBSD
>>>>> 	
>>>>> 	In FreeBSD 10.0, netmap has been integrated into the core OS. In
>>>>> 	order to use it, you must recompile your kernel with the line
>>>>> 	
>>>>> 	device netmap
>>>>> 	
>>>>> 	added to your kernel config.
>>>>>
>>>>> I searched google but I cant find enough subject for netmap with snort
>>>>> What is my problem ?
>>>>> Can u help me ?
>>>>> _______________________________________________
>>>>> Snort-devel mailing list
>>>>> Snort-devel at lists.snort.org <mailto:Snort-devel at lists.snort.org>
>>>>> https://lists.snort.org/mailman/listinfo/snort-devel
>>>>>
>>>>> Please visit http://blog.snort.org <http://blog.snort.org/> for 
>>>>> the latest news about Snort!
>>
>>
>>
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.snort.org
>> https://lists.snort.org/mailman/listinfo/snort-devel
>>
>> Please visithttp://blog.snort.org  for the latest news about Snort!
>
>
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20181102/f4c0112c/attachment-0001.html>


More information about the Snort-devel mailing list