Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. NTop>
  3. Misc
snort inline with pf_ring drops only the first packet, rest of flow is passed
anton at vanderleun
Oct 22, 2017, 3:20 PM
Post #1 of 1 (408 views)
Permalink
 

Hello  snort / pf_ring experts,

 
I am struggling in pf_ring implementation on snort (2.9.11) in inline mode.

Pf_ring (latest version github)

All installed from source.

No problems with configure, make,  make install etc. Everything installs fine.

If I use afpacket in snort as daq module everything works as expected but with pf_ring the following occurs in inline mode

 
In ip blacklist a single ip address : 194.109.6.102  (= sftp.xs4all.nl)

If I do a ping to 194.109.6.102  all packets are correctly blocked

If I do a “telnet 194.109.6.102 22”   the following happens:

The first (TCP SYN)  packet is correctly dropped, however when the 2nd SYN packet is sent (due to the timeout of the first) it is passed and all subsequent packets (of THIS flow are also passed !)

 
Example on the client:

ping sftp.xs4all.nl

[root@centos-base-88 ~]# ping sftp.xs4all.nl

PING sftp.xs4all.nl (194.109.6.102) 56(84) bytes of data.

^C^C

--- sftp.xs4all.nl ping statistics ---

7 packets transmitted, 0 received, 100% packet loss, time 5999ms

So everything is blocked, on the snort console we see:

10/22-22:05:17.265332  [Drop] [**] [136:1:1] (spp_reputation) packets blacklisted [**] [Classification: Potentially Bad Traffic] [Priority: 2] {ICMP} 192.168.63.89 -> 194.109.6.102

10/22-22:05:18.265245  [Drop] [**] [136:1:1] (spp_reputation) packets blacklisted [**] [Classification: Potentially Bad Traffic] [Priority: 2] {ICMP} 192.168.63.89 -> 194.109.6.102

10/22-22:05:19.265234  [Drop] [**] [136:1:1] (spp_reputation) packets blacklisted [**] [Classification: Potentially Bad Traffic] [Priority: 2] {ICMP} 192.168.63.89 -> 194.109.6.102

10/22-22:05:20.265245  [Drop] [**] [136:1:1] (spp_reputation) packets blacklisted [**] [Classification: Potentially Bad Traffic] [Priority: 2] {ICMP} 192.168.63.89 -> 194.109.6.102

10/22-22:05:21.265225  [Drop] [**] [136:1:1] (spp_reputation) packets blacklisted [**] [Classification: Potentially Bad Traffic] [Priority: 2] {ICMP} 192.168.63.89 -> 194.109.6.102

10/22-22:05:22.265222  [Drop] [**] [136:1:1] (spp_reputation) packets blacklisted [**] [Classification: Potentially Bad Traffic] [Priority: 2] {ICMP} 192.168.63.89 -> 194.109.6.102

So that’s ok

 
Now a tcp session:

[root@centos-base-88 ~]# telnet sftp.xs4all.nl 22

Trying 194.109.6.102...

Connected to sftp.xs4all.nl.

Escape character is '^]'.

SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3

^]

telnet> q

Connection closed.

As you can see the session is opened (answer from ssh server)

On the snort console we see:

10/22-22:06:22.493020  [Drop] [**] [136:1:1] (spp_reputation) packets blacklisted [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.63.89:55258 -> 194.109.6.102:22

 
With tcpdump on client we see the following:

14:39:51.080544 IP 192.168.63.89.55226 > sftp.xs4all.nl.ssh: Flags [S], seq 2360602834, win 29200, options [mss 1460,sackOK,TS val 1538492023 ecr 0,nop,wscale 7], length 0

14:39:52.080915 IP 192.168.63.89.55226 > sftp.xs4all.nl.ssh: Flags [S], seq 2360602834, win 29200, options [mss 1460,sackOK,TS val 1538493024 ecr 0,nop,wscale 7], length 0

14:39:52.183534 IP sftp.xs4all.nl.ssh > 192.168.63.89.55226: Flags [S.], seq 490682614, ack 2360602835, win 28960, options [mss 1460,sackOK,TS val 2525301259 ecr 1538493024,nop,wscale 7], length 0

14:39:52.183573 IP 192.168.63.89.55226 > sftp.xs4all.nl.ssh: Flags [.], ack 1, win 229, options [nop,nop,TS val 1538493126 ecr 2525301259], length 0

14:39:52.383808 IP sftp.xs4all.nl.ssh > 192.168.63.89.55226: Flags [P.], seq 1:40, ack 1, win 227, options [nop,nop,TS val 2525301312 ecr 1538493126], length 39

14:39:52.383829 IP 192.168.63.89.55226 > sftp.xs4all.nl.ssh: Flags [.], ack 40, win 229, options [nop,nop,TS val 1538493326 ecr 2525301312], length 0

(time stamps is different, I know)

The first packet is dropped, but the second apparently is passed as a answer (packet 3) is coming in.

And the flow is established.

 
As far as  I understand pf_ring should :

1. give the first packet to snort
2. snort tells pf_ring to drop the packet
3. pf_ring should automatically drop the WHOLE flow

 
In my opinion (3) is not happening, instead of dropping the rest of the flow is forwarded.

 
I also tested with the parameter  :  --daq-var no-kernel-filters

Same result (--daq-var no-kernel-filters)  this should tell the driver to deliver every packet to snort, to have snort decide for EVERY packet what to do.

 
Anyway I am out of ideas what is the root of this problem, so I hope somebody can give me a hint in the right direction ….:-

 
Additional info:

Pf_ring init:

/sbin/rmmod pf_ring

/sbin/insmod /usr/lib/modules/3.10.0-693.2.2.el7.x86_64/kernel/net/pf_ring/pf_ring.ko enable_tx_capture=0

 
Snort start:

/usr/local/bin/snort -A console  --daq-dir=/usr/local/lib/daq --daq pfring -c /etc/snort/snort.conf  -i eth1:eth2  -Q  --daq-var watermark=10 --daq-var timeout=10

 
(watermark and timeout is needed, is also a little strange in my opinion as I do not see those parameters in many examples, if I don’t use it, a single ping will have a turnaround time of 2000 milli seconds. (the time pf_ring waits before delivering the packet over to snort ?)

 
[root@vsnort-82 ~]# modinfo pf_ring

filename:       /lib/modules/3.10.0-693.2.2.el7.x86_64/kernel/net/pf_ring/pf_ring.ko

alias:          net-pf-27

version:        6.7.0

description:    Packet capture acceleration and analysis

author:         ntop.org

license:        GPL

rhelversion:    7.4

srcversion:     F09B35D96D194DD7F0BA4ED

depends:       

vermagic:       3.10.0-693.2.2.el7.x86_64 SMP mod_unload modversions

parm:           min_num_slots:Min number of ring slots (uint)

parm:           perfect_rules_hash_size:Perfect rules hash size (uint)

parm:           enable_tx_capture:Set to 1 to capture outgoing packets (uint)

parm:           enable_frag_coherence:Set to 1 to handle fragments (flow coherence) in clusters (uint)

parm:           enable_ip_defrag:Set to 1 to enable IP defragmentation(only rx traffic is defragmentead) (uint)

parm:           quick_mode:Set to 1 to run at full speed but with upto one socket per interface (uint)

parm:           force_ring_lock:Set to 1 to force ring locking (automatically enable with rss) (uint)

parm:           enable_debug:Set to 1 to enable PF_RING debug tracing into the syslog, 2 for more verbosity (uint)

parm:           transparent_mode:(deprecated) (uint)

[root@vsnort-82 ~]#

 
[root@vsnort-82 ~]# cat /proc/net/pf_ring/info

PF_RING Version          : 6.7.0 (dev:24c5d32df0e72fac912f9d366b00d9b49da73e60)

Total rings              : 2

 
Standard (non ZC) Options

Ring slots               : 4096

Slot version             : 16

Capture TX               : No [RX only]

IP Defragment            : No

Socket Mode              : Standard

Cluster Fragment Queue   : 0

Cluster Fragment Discard : 0

[root@vsnort-82 ~]#

 
Many thanks in advance,

 
Anton van der leun

 
 
 
 
 
 

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal