Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NTop: Misc

Broken Snort timestamps?

  

 
NTop misc RSS feed   Index | Next | Previous | View Threaded


rrotsted at pdx

May 7, 2012, 9:28 AM

Post #1 of 2 (259 views)
Permalink
Broken Snort timestamps?
Luca / all,

I recently configured my Snort box to use PF_RING and the ixgb TNAPI
driver, it appears to be working correctly but Snort is logging '0' for
the timestamp on all alerts.

Below is an example --

(Event)
sensor id: 0 event id: 24 event second: 0 event microsecond: 0
sig id: 2002027 gen id: 1 revision: 15 classification: 29
priority: 3 ip source: x.x.x.x ip destination: x.x.x.x
src port: 6667 dest port: 58737 protocol: 6 impact_flag:
0 blocked: 0

Packet
sensor id: 0 event id: 24 event second: 0
packet second: 0 packet microsecond: 0
linktype: 1 packet_length: 101

I'm not certain that this is a question for the ntop list, though
because I'm using PF_RING, the PF_RING daq module, and the TNAPI driver
I figured this would be a good place to start. I'm using a version of
PF_RING checked out from the svn repo last Thursday, Snort 2.9.2.2 and
daq 0.6.2.

Any guidance that you can provide will be greatly appreciated.

Best,

Bob

--
Bob Rotsted

Network Security Analyst
Portland State University
Desk: 503-725-6215
Cell: 503-208-6575
314B D581 A8CD E28A A690 7E9D 5B43 4B28 0EB6 A21A

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


c.d.wakelin at reading

May 16, 2012, 10:09 AM

Post #2 of 2 (207 views)
Permalink
Re: Broken Snort timestamps? [In reply to]
Interestingly, I just had the same problem with Suricata, PF_RING 5.4.0,
ixgbe-3.7.17-TNAPIv2-260412

I (finally) got TNAPI working with Suricata set to monitor tnapi0@0 -
tnapi0@5 with one thread per queue and it gave very good performance.

It is logging *some* of the timestamps correctly but mostly not. Both
alerts (fast.log) and HTTP logs end up with 0.

I did a "tcpdump -i tnapi0@1 -s0" to a pcap and fed that to Suricata
and the timestamps were fine.

I started TNAPI with

insmod ixgbe.ko adapters_to_enable=xx:xx:xx:xx:xx:xx RSS=6,6
num_rx_slots=2048

DNA works fine, but seems to use more CPU for some reason.

Best Wishes,
Chris

On 07/05/12 17:28, Bob Rotsted wrote:
> Luca / all,
>
> I recently configured my Snort box to use PF_RING and the ixgb TNAPI
> driver, it appears to be working correctly but Snort is logging '0' for
> the timestamp on all alerts.
>
> Below is an example --
>
> (Event)
> sensor id: 0 event id: 24 event second: 0 event microsecond: 0
> sig id: 2002027 gen id: 1 revision: 15 classification: 29
> priority: 3 ip source: x.x.x.x ip destination: x.x.x.x
> src port: 6667 dest port: 58737 protocol: 6 impact_flag:
> 0 blocked: 0
>
> Packet
> sensor id: 0 event id: 24 event second: 0
> packet second: 0 packet microsecond: 0
> linktype: 1 packet_length: 101
>
> I'm not certain that this is a question for the ntop list, though
> because I'm using PF_RING, the PF_RING daq module, and the TNAPI driver
> I figured this would be a good place to start. I'm using a version of
> PF_RING checked out from the svn repo last Thursday, Snort 2.9.2.2 and
> daq 0.6.2.
>
> Any guidance that you can provide will be greatly appreciated.
>
> Best,
>
> Bob
>


--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin [at] reading
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

NTop misc RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.