[Snort-users] Pfring crashes the kernel with white lists.

Livio Ricciulli livio at ...15149...
Fri Jun 22 13:20:08 EDT 2012


With pfring 5.1, if you specified a bpf filter and -daq -pfring, the daq 
will not
open and Snort will not even start. We recently fixed it so that it 
works now.
If you have bpf already specified and it runs, I am assuming you are 
using a later
version where they fixed the bug (although probably still  vulnerable to 
the white
listing issue below). So I think you are ok.

A more interesting thing for you (since you run 10G I think) is to run 
the filter in hardware
rather than software. I am working on a script that translates a subset 
of the bpf expressions
to hardware rules for the Intel 82599 Ethernet controller (supported by 
pfring). With the
hardware rules, the filtered packets are never seen by the kernel so 
there is less CPU
utilization and (conceivably) with the right filters, you could run up 
to line rate
(28 Mpps full duplex).

Let me know if you are interested in beta testing the hardware filtering 
(if you use the 82599).

Livio.

On 6/22/2012 5:41 AM, Peter Bates wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello all
>
> On 21/06/2012 00:58, livio Ricciulli wrote:
>> If you use --daq pfring with snort 2.9.2.x, it will cause pfring to
>> add a monotonically increasing number of WHITE_LIST pfring filters
>> in kernel memory causing memory exhaustion and eventually a crash
>> after a few hours/days/months depending on your traffic rate. We
>> have a pfring distribution that fixes this and other problems (like
>>   supporting bpf filtering) at
>> http://www.metaflows.com/pfring/PF_RING.tgz
> I'm running this combination and am keen to avoid this bug so will
> take a look.
>
> Can you explain 'supporting bpf filtering' a bit more?
>
> I have
>
> config bpf_file: /etc/snort/bpf
>
> (equivalent to -F)
>
> and according to PF_RING the BPF is being applied:
>
> BPF Filtering      : Enabled
>
> Or is the difference in Snort applying the BPF filter after PF_RING
> and not before?
>
> - -- 
> Peter Bates
> Senior Computer Security Officer    Phone: +44(0)2076792049
> Information Services Division	    Internal Ext: 32049
> University College London
> London WC1E 6BT
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJP5GfkAAoJELhVoVpEMS6RJpkIAI+sV9h/iLwehWfTve5tpbbF
> 8LibR+YRcc8rAO+ic2ul9t560YgyfALgl/czjQXrkXdzhsL/f5S6RSvtoCxK5vH+
> DLw2SZRPcaJ4GRfgE/AFTQIEUkM+cDYWTmHzkpGWokzlpOPFeDeNwzFopUxc+16o
> FOkx4N88MRzI+8NNYeby9ev35E9GwpskY8bzKzdGNPOB4+5zX1uCW15IJguMWpho
> s6fP6HbFnGhNgJN4buzxzn0vT776Uf+RglzatBTLhdf8rBCz5i96Ne1wsj6WfpoD
> dA7XHs4hOwZa+7hA85ODfyz3/oelPLxp5ezDe3jWcRH/Q9VeFVYZttALHYtCwjQ=
> =4pYV
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


-- 
Livio Ricciulli
MetaFlows Inc.
(408) 835-5005





More information about the Snort-users mailing list