Message: 2
Date: Wed, 30 Mar 2016 23:23:15 +0200
From: Luca Deri <deri@ntop.org>
To: ntop-misc@listgateway.unipi.it
Subject: Re: [Ntop-misc] pf_ring hardware filter question
Message-ID: <196B3D33-566B-421B-BEBC-2BF343661E1D@ntop.org>
Content-Type: text/plain; charset="us-ascii"
Chris
you can set rules via the PF_RING API: did you see http://redirect.state.sbu/?url=https://github.com/ntop/PF_RING/blob/dev/userland/examples/pffilter_test.c ?
Regards Luca
> On 30 Mar 2016, at 21:12, Clark, Erik J <ClarkEJ1@state.gov> wrote:
>
> All;
> I am trying to filter out tcp and udp traffic at the kernel level
> via pf_ring, but can not find any documentation as to how to actually
> craft a rule, or how you would make one persist. The only reference I
> can find is to
>
> /proc/net/pf_ring/dev/${interface}/rules
>
> Which would not be persistent. If I wanted to filter out all tcp 443 traffic before handing it off to the application layer, say for Snort or Bro, how do I do that at the pf_ring level persistently? Thanks much!
>
> Erik
>
>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
Unfortunately, I haven't written any C in about 18 years. Even then, I was never very good at it. On top of that, I can't even seem to understand what is going on in the file. There is a section where it says it is dropping everything but icmp, but there is nothing saying that outright, except a reference to rule.rule_id =5, which is as clear as mud.
So, is the short answer there is no way to use something like ethtool to set pf_ring filters? From:
http://ossectools.blogspot.com/2012/10/multi-node-bro-cluster-setup-howto.html
I can see that bpf filters can be associated with the devices some how (specifically (ip[14:2]+ip[18:2]) - (4*((ip[14:2]+ip[18:2])/4)) == 0)
I can not find any documentation on how to set bpf filters, or pf_ring parameters with something like a shell script or a tool like ethtool. Is this just not possible?
Erik
_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Date: Wed, 30 Mar 2016 23:23:15 +0200
From: Luca Deri <deri@ntop.org>
To: ntop-misc@listgateway.unipi.it
Subject: Re: [Ntop-misc] pf_ring hardware filter question
Message-ID: <196B3D33-566B-421B-BEBC-2BF343661E1D@ntop.org>
Content-Type: text/plain; charset="us-ascii"
Chris
you can set rules via the PF_RING API: did you see http://redirect.state.sbu/?url=https://github.com/ntop/PF_RING/blob/dev/userland/examples/pffilter_test.c ?
Regards Luca
> On 30 Mar 2016, at 21:12, Clark, Erik J <ClarkEJ1@state.gov> wrote:
>
> All;
> I am trying to filter out tcp and udp traffic at the kernel level
> via pf_ring, but can not find any documentation as to how to actually
> craft a rule, or how you would make one persist. The only reference I
> can find is to
>
> /proc/net/pf_ring/dev/${interface}/rules
>
> Which would not be persistent. If I wanted to filter out all tcp 443 traffic before handing it off to the application layer, say for Snort or Bro, how do I do that at the pf_ring level persistently? Thanks much!
>
> Erik
>
>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
Unfortunately, I haven't written any C in about 18 years. Even then, I was never very good at it. On top of that, I can't even seem to understand what is going on in the file. There is a section where it says it is dropping everything but icmp, but there is nothing saying that outright, except a reference to rule.rule_id =5, which is as clear as mud.
So, is the short answer there is no way to use something like ethtool to set pf_ring filters? From:
http://ossectools.blogspot.com/2012/10/multi-node-bro-cluster-setup-howto.html
I can see that bpf filters can be associated with the devices some how (specifically (ip[14:2]+ip[18:2]) - (4*((ip[14:2]+ip[18:2])/4)) == 0)
I can not find any documentation on how to set bpf filters, or pf_ring parameters with something like a shell script or a tool like ethtool. Is this just not possible?
Erik
_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc