Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NTop: Misc

PF_RING and filter rules

 

 

NTop misc RSS feed   Index | Next | Previous | View Threaded


peter.bates at ucl

Jul 9, 2012, 3:57 AM

Post #1 of 9 (875 views)
Permalink
PF_RING and filter rules

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all...

Just a quick question.

I'm running 5 apps under PF_RING.

1 is unclustered and uses a BPF expression, and the proc output says:

BPF Filtering : Enabled
# Sw Filt. Rules : 0
# Hw Filt. Rules : 0

The other 4 instances are the same application (Snort) and the same
cluster-id with a BPF expression but show:

BPF Filtering : Enabled
# Sw Filt. Rules : 17176
# Hw Filt. Rules : 0

BPF Filtering : Enabled
# Sw Filt. Rules : 16305
# Hw Filt. Rules : 0

Why is the first application '0' even though it has a (software) BPF
expression, and the others are differing numbers?

Thanks.

- --
Peter Bates
Senior Computer Security Officer Phone: +44(0)2076792049
Information Services Division Internal Ext: 32049
University College London
London WC1E 6BT

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP+rkDAAoJELhVoVpEMS6RcN8H/AyaCO4LNJdUM7wGqsfwsnT1
hDfkeoeRtmodWKpLRqF3sxQPDiZVcOZ5OJU3oAUqQSvRxYlgKy+knM3k198MbNqH
x6+tJUzUyMdS+yQCIK5DNrAMTHzFf/P4db3eAUoJGANntx51cNRzdHQqGV1Vhp40
VKA4m5y96yTlfJtNLK1MmuRzqJHlwfi8usw5JiHo6yUmGhGqtLEseC4dKlHV06Gq
EsZIGIqMnsKpY/3joU10mutaT4CblJdhqDkSARJeACKRuBB7FLgQvQ60hAON8uuq
e/woh2J9vks41UxXMmVRhfqGsxePkctsNDfmY9nBcE/o0qlWnfnYUbNiBG34qLw=
=SOEV
-----END PGP SIGNATURE-----

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


cardigliano at ntop

Jul 11, 2012, 2:46 AM

Post #2 of 9 (803 views)
Permalink
Re: PF_RING and filter rules [In reply to]

Peter
the BPF filter is not counted as "Sw Filt. Rules" (this only includes wildcard and hash rules)

Regards
Alfredo

On Jul 9, 2012, at 12:57 PM, Peter Bates wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello all...
>
> Just a quick question.
>
> I'm running 5 apps under PF_RING.
>
> 1 is unclustered and uses a BPF expression, and the proc output says:
>
> BPF Filtering : Enabled
> # Sw Filt. Rules : 0
> # Hw Filt. Rules : 0
>
> The other 4 instances are the same application (Snort) and the same
> cluster-id with a BPF expression but show:
>
> BPF Filtering : Enabled
> # Sw Filt. Rules : 17176
> # Hw Filt. Rules : 0
>
> BPF Filtering : Enabled
> # Sw Filt. Rules : 16305
> # Hw Filt. Rules : 0
>
> Why is the first application '0' even though it has a (software) BPF
> expression, and the others are differing numbers?
>
> Thanks.
>
> - --
> Peter Bates
> Senior Computer Security Officer Phone: +44(0)2076792049
> Information Services Division Internal Ext: 32049
> University College London
> London WC1E 6BT
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJP+rkDAAoJELhVoVpEMS6RcN8H/AyaCO4LNJdUM7wGqsfwsnT1
> hDfkeoeRtmodWKpLRqF3sxQPDiZVcOZ5OJU3oAUqQSvRxYlgKy+knM3k198MbNqH
> x6+tJUzUyMdS+yQCIK5DNrAMTHzFf/P4db3eAUoJGANntx51cNRzdHQqGV1Vhp40
> VKA4m5y96yTlfJtNLK1MmuRzqJHlwfi8usw5JiHo6yUmGhGqtLEseC4dKlHV06Gq
> EsZIGIqMnsKpY/3joU10mutaT4CblJdhqDkSARJeACKRuBB7FLgQvQ60hAON8uuq
> e/woh2J9vks41UxXMmVRhfqGsxePkctsNDfmY9nBcE/o0qlWnfnYUbNiBG34qLw=
> =SOEV
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


peter.bates at ucl

Jul 11, 2012, 3:39 AM

Post #3 of 9 (807 views)
Permalink
Re: PF_RING and filter rules [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello again all

On 11/07/2012 10:46, Alfredo Cardigliano wrote:
> the BPF filter is not counted as "Sw Filt. Rules" (this only
> includes wildcard and hash rules)

> BPF Filtering : Enabled # Sw Filt. Rules : 17176 # Hw Filt.
> Rules : 0

Okay, so what are the 17176 rules listed?
Is this the action of the clustering hashing the packets to the
different instances?

- --
Peter Bates
Senior Computer Security Officer Phone: +44(0)2076792049
Information Services Division Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP/VfGAAoJELhVoVpEMS6RvxAH/RakX+LbYrzy26eYeZSXDc7s
sLDosX2v7E1+C6xn8pXvce91mGqml+niZbK+XJyERMEF+kicD/VGWPML1KsVvEDn
FATw4lKrzO3hdKEjvjqga0M5QOM99G1GVdJ6JI+agwBszfBASfobjkBs7L+NhTlU
mEi3pox0JnN9qGeZ3g6JW1zGur2nkGKQu1H4Dlfa014XHQNnTAgahgSrHTRnAoRX
uzK6A2khtssQFPx0X9m/2GjOADc//8xxpt/swhy9nDKmChf3npfcQe36FldCYMdf
7w2lg4uepYJUFGeik4sXv65pkQjx1yGhc4CSoeNz9IdtmpJtmq9N05qd3y6LAdI=
=RwA7
-----END PGP SIGNATURE-----

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


cardigliano at ntop

Jul 11, 2012, 3:52 AM

Post #4 of 9 (830 views)
Permalink
Re: PF_RING and filter rules [In reply to]

Peter
the rules listed are kernel hash filters added by the DAQ module (you can disable them with --daq-var no-kernel-filters)
every time snort emits a verdict, in order to reduce the amount of traffic it has to analyze.
Those rules are automatically removed when idle for more than 5 minutes (you can change the default with --daq-var kernel-filters-idle-timeout=<seconds>)

Regards
Alfredo

On Jul 11, 2012, at 12:39 PM, Peter Bates wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello again all
>
> On 11/07/2012 10:46, Alfredo Cardigliano wrote:
>> the BPF filter is not counted as "Sw Filt. Rules" (this only
>> includes wildcard and hash rules)
>
>> BPF Filtering : Enabled # Sw Filt. Rules : 17176 # Hw Filt.
>> Rules : 0
>
> Okay, so what are the 17176 rules listed?
> Is this the action of the clustering hashing the packets to the
> different instances?
>
> - --
> Peter Bates
> Senior Computer Security Officer Phone: +44(0)2076792049
> Information Services Division Internal Ext: 32049
> University College London
> London WC1E 6BT
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJP/VfGAAoJELhVoVpEMS6RvxAH/RakX+LbYrzy26eYeZSXDc7s
> sLDosX2v7E1+C6xn8pXvce91mGqml+niZbK+XJyERMEF+kicD/VGWPML1KsVvEDn
> FATw4lKrzO3hdKEjvjqga0M5QOM99G1GVdJ6JI+agwBszfBASfobjkBs7L+NhTlU
> mEi3pox0JnN9qGeZ3g6JW1zGur2nkGKQu1H4Dlfa014XHQNnTAgahgSrHTRnAoRX
> uzK6A2khtssQFPx0X9m/2GjOADc//8xxpt/swhy9nDKmChf3npfcQe36FldCYMdf
> 7w2lg4uepYJUFGeik4sXv65pkQjx1yGhc4CSoeNz9IdtmpJtmq9N05qd3y6LAdI=
> =RwA7
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


jovimon at gmail

Jun 26, 2015, 4:17 AM

Post #5 of 9 (155 views)
Permalink
Re: PF_RING and filter rules [In reply to]

Excuse me for reviving this thread.

I've been using Snort's DAQ module variable no-kernel-filters for a long
time, but recently switched to pfring_zc and got this error:

FATAL ERROR: Can't initialize DAQ pfring_zc (-1) -
pfring_zc_daq_initialize: unsupported variable(no-kernel-filters=1)#012

Why isn't this variable present on the ZC driver ? Am I missing something ?

Thanks,

Jose Vila.

On Wed, Jul 11, 2012 at 12:52 PM, Alfredo Cardigliano <cardigliano [at] ntop>
wrote:

> Peter
> the rules listed are kernel hash filters added by the DAQ module (you can
> disable them with --daq-var no-kernel-filters)
> every time snort emits a verdict, in order to reduce the amount of traffic
> it has to analyze.
> Those rules are automatically removed when idle for more than 5 minutes
> (you can change the default with --daq-var
> kernel-filters-idle-timeout=<seconds>)
>
> Regards
> Alfredo
>
> On Jul 11, 2012, at 12:39 PM, Peter Bates wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> >
> > Hello again all
> >
> > On 11/07/2012 10:46, Alfredo Cardigliano wrote:
> >> the BPF filter is not counted as "Sw Filt. Rules" (this only
> >> includes wildcard and hash rules)
> >
> >> BPF Filtering : Enabled # Sw Filt. Rules : 17176 # Hw Filt.
> >> Rules : 0
> >
> > Okay, so what are the 17176 rules listed?
> > Is this the action of the clustering hashing the packets to the
> > different instances?
> >
> > - --
> > Peter Bates
> > Senior Computer Security Officer Phone: +44(0)2076792049
> > Information Services Division Internal Ext: 32049
> > University College London
> > London WC1E 6BT
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v2.0.17 (MingW32)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> >
> > iQEcBAEBAgAGBQJP/VfGAAoJELhVoVpEMS6RvxAH/RakX+LbYrzy26eYeZSXDc7s
> > sLDosX2v7E1+C6xn8pXvce91mGqml+niZbK+XJyERMEF+kicD/VGWPML1KsVvEDn
> > FATw4lKrzO3hdKEjvjqga0M5QOM99G1GVdJ6JI+agwBszfBASfobjkBs7L+NhTlU
> > mEi3pox0JnN9qGeZ3g6JW1zGur2nkGKQu1H4Dlfa014XHQNnTAgahgSrHTRnAoRX
> > uzK6A2khtssQFPx0X9m/2GjOADc//8xxpt/swhy9nDKmChf3npfcQe36FldCYMdf
> > 7w2lg4uepYJUFGeik4sXv65pkQjx1yGhc4CSoeNz9IdtmpJtmq9N05qd3y6LAdI=
> > =RwA7
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > Ntop-misc mailing list
> > Ntop-misc [at] listgateway
> > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>


cardigliano at ntop

Jun 26, 2015, 6:29 AM

Post #6 of 9 (156 views)
Permalink
Re: PF_RING and filter rules [In reply to]

Hi Jose
since kernel is bypassed with ZC, it is not possible to set kernel filters at all, thus no-kernel-filters is not needed.

Best Regards
Alfredo

> On 26 Jun 2015, at 04:17, Jose Vila <jovimon [at] gmail> wrote:
>
> Excuse me for reviving this thread.
>
> I've been using Snort's DAQ module variable no-kernel-filters for a long
> time, but recently switched to pfring_zc and got this error:
>
> FATAL ERROR: Can't initialize DAQ pfring_zc (-1) -
> pfring_zc_daq_initialize: unsupported variable(no-kernel-filters=1)#012
>
> Why isn't this variable present on the ZC driver ? Am I missing something ?
>
> Thanks,
>
> Jose Vila.
>
> On Wed, Jul 11, 2012 at 12:52 PM, Alfredo Cardigliano <cardigliano [at] ntop>
> wrote:
>
>> Peter
>> the rules listed are kernel hash filters added by the DAQ module (you can
>> disable them with --daq-var no-kernel-filters)
>> every time snort emits a verdict, in order to reduce the amount of traffic
>> it has to analyze.
>> Those rules are automatically removed when idle for more than 5 minutes
>> (you can change the default with --daq-var
>> kernel-filters-idle-timeout=<seconds>)
>>
>> Regards
>> Alfredo
>>
>> On Jul 11, 2012, at 12:39 PM, Peter Bates wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>>
>>> Hello again all
>>>
>>> On 11/07/2012 10:46, Alfredo Cardigliano wrote:
>>>> the BPF filter is not counted as "Sw Filt. Rules" (this only
>>>> includes wildcard and hash rules)
>>>
>>>> BPF Filtering : Enabled # Sw Filt. Rules : 17176 # Hw Filt.
>>>> Rules : 0
>>>
>>> Okay, so what are the 17176 rules listed?
>>> Is this the action of the clustering hashing the packets to the
>>> different instances?
>>>
>>> - --
>>> Peter Bates
>>> Senior Computer Security Officer Phone: +44(0)2076792049
>>> Information Services Division Internal Ext: 32049
>>> University College London
>>> London WC1E 6BT
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v2.0.17 (MingW32)
>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>>
>>> iQEcBAEBAgAGBQJP/VfGAAoJELhVoVpEMS6RvxAH/RakX+LbYrzy26eYeZSXDc7s
>>> sLDosX2v7E1+C6xn8pXvce91mGqml+niZbK+XJyERMEF+kicD/VGWPML1KsVvEDn
>>> FATw4lKrzO3hdKEjvjqga0M5QOM99G1GVdJ6JI+agwBszfBASfobjkBs7L+NhTlU
>>> mEi3pox0JnN9qGeZ3g6JW1zGur2nkGKQu1H4Dlfa014XHQNnTAgahgSrHTRnAoRX
>>> uzK6A2khtssQFPx0X9m/2GjOADc//8xxpt/swhy9nDKmChf3npfcQe36FldCYMdf
>>> 7w2lg4uepYJUFGeik4sXv65pkQjx1yGhc4CSoeNz9IdtmpJtmq9N05qd3y6LAdI=
>>> =RwA7
>>> -----END PGP SIGNATURE-----
>>>
>>> _______________________________________________
>>> Ntop-misc mailing list
>>> Ntop-misc [at] listgateway
>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc [at] listgateway
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Attachments: signature.asc (0.82 KB)


jovimon at gmail

Jun 29, 2015, 1:16 AM

Post #7 of 9 (151 views)
Permalink
Re: PF_RING and filter rules [In reply to]

Hello Alfredo,
Thank you very much for the explanation.
Regards,
Jose.

On Fri, Jun 26, 2015 at 3:29 PM, Alfredo Cardigliano <cardigliano [at] ntop>
wrote:

> Hi Jose
> since kernel is bypassed with ZC, it is not possible to set kernel filters
> at all, thus no-kernel-filters is not needed.
>
> Best Regards
> Alfredo
>
> > On 26 Jun 2015, at 04:17, Jose Vila <jovimon [at] gmail> wrote:
> >
> > Excuse me for reviving this thread.
> >
> > I've been using Snort's DAQ module variable no-kernel-filters for a long
> > time, but recently switched to pfring_zc and got this error:
> >
> > FATAL ERROR: Can't initialize DAQ pfring_zc (-1) -
> > pfring_zc_daq_initialize: unsupported variable(no-kernel-filters=1)#012
> >
> > Why isn't this variable present on the ZC driver ? Am I missing
> something ?
> >
> > Thanks,
> >
> > Jose Vila.
> >
> > On Wed, Jul 11, 2012 at 12:52 PM, Alfredo Cardigliano <
> cardigliano [at] ntop>
> > wrote:
> >
> >> Peter
> >> the rules listed are kernel hash filters added by the DAQ module (you
> can
> >> disable them with --daq-var no-kernel-filters)
> >> every time snort emits a verdict, in order to reduce the amount of
> traffic
> >> it has to analyze.
> >> Those rules are automatically removed when idle for more than 5 minutes
> >> (you can change the default with --daq-var
> >> kernel-filters-idle-timeout=<seconds>)
> >>
> >> Regards
> >> Alfredo
> >>
> >> On Jul 11, 2012, at 12:39 PM, Peter Bates wrote:
> >>
> >>> -----BEGIN PGP SIGNED MESSAGE-----
> >>> Hash: SHA1
> >>>
> >>>
> >>> Hello again all
> >>>
> >>> On 11/07/2012 10:46, Alfredo Cardigliano wrote:
> >>>> the BPF filter is not counted as "Sw Filt. Rules" (this only
> >>>> includes wildcard and hash rules)
> >>>
> >>>> BPF Filtering : Enabled # Sw Filt. Rules : 17176 # Hw Filt.
> >>>> Rules : 0
> >>>
> >>> Okay, so what are the 17176 rules listed?
> >>> Is this the action of the clustering hashing the packets to the
> >>> different instances?
> >>>
> >>> - --
> >>> Peter Bates
> >>> Senior Computer Security Officer Phone: +44(0)2076792049
> >>> Information Services Division Internal Ext: 32049
> >>> University College London
> >>> London WC1E 6BT
> >>> -----BEGIN PGP SIGNATURE-----
> >>> Version: GnuPG v2.0.17 (MingW32)
> >>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> >>>
> >>> iQEcBAEBAgAGBQJP/VfGAAoJELhVoVpEMS6RvxAH/RakX+LbYrzy26eYeZSXDc7s
> >>> sLDosX2v7E1+C6xn8pXvce91mGqml+niZbK+XJyERMEF+kicD/VGWPML1KsVvEDn
> >>> FATw4lKrzO3hdKEjvjqga0M5QOM99G1GVdJ6JI+agwBszfBASfobjkBs7L+NhTlU
> >>> mEi3pox0JnN9qGeZ3g6JW1zGur2nkGKQu1H4Dlfa014XHQNnTAgahgSrHTRnAoRX
> >>> uzK6A2khtssQFPx0X9m/2GjOADc//8xxpt/swhy9nDKmChf3npfcQe36FldCYMdf
> >>> 7w2lg4uepYJUFGeik4sXv65pkQjx1yGhc4CSoeNz9IdtmpJtmq9N05qd3y6LAdI=
> >>> =RwA7
> >>> -----END PGP SIGNATURE-----
> >>>
> >>> _______________________________________________
> >>> Ntop-misc mailing list
> >>> Ntop-misc [at] listgateway
> >>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
> >>
> >> _______________________________________________
> >> Ntop-misc mailing list
> >> Ntop-misc [at] listgateway
> >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
> >>
> > _______________________________________________
> > Ntop-misc mailing list
> > Ntop-misc [at] listgateway
> > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>


jovimon at gmail

Aug 14, 2015, 3:39 AM

Post #8 of 9 (58 views)
Permalink
Re: PF_RING and filter rules [In reply to]

Hi again Alfredo,

I keep having problems of apparent traffic loss even with ZC driver.

I've installed a Suricata just to generate HTTP and DNS logs (alert
detection disabled) and right after starting it I get about 2k to 4k http
log entries per minute. Now (24h later) i only get 10 to 30 log entries per
minute, with punctual spikes of up to 1,5k entries in a minute.

I know there are no kernel filters as I'm using ZC. Is there an equivalent
in ZC to the normal kernel filters? That would explain this behaviour, as
it's quite similar to what we had back when we discovered the
no-kernel-filters daqvar.

Thank you very much.

Regards,

Jose Vila.



On Mon, Jun 29, 2015 at 10:16 AM, Jose Vila <jovimon [at] gmail> wrote:

> Hello Alfredo,
> Thank you very much for the explanation.
> Regards,
> Jose.
>
> On Fri, Jun 26, 2015 at 3:29 PM, Alfredo Cardigliano <cardigliano [at] ntop
> > wrote:
>
>> Hi Jose
>> since kernel is bypassed with ZC, it is not possible to set kernel
>> filters at all, thus no-kernel-filters is not needed.
>>
>> Best Regards
>> Alfredo
>>
>> > On 26 Jun 2015, at 04:17, Jose Vila <jovimon [at] gmail> wrote:
>> >
>> > Excuse me for reviving this thread.
>> >
>> > I've been using Snort's DAQ module variable no-kernel-filters for a long
>> > time, but recently switched to pfring_zc and got this error:
>> >
>> > FATAL ERROR: Can't initialize DAQ pfring_zc (-1) -
>> > pfring_zc_daq_initialize: unsupported variable(no-kernel-filters=1)#012
>> >
>> > Why isn't this variable present on the ZC driver ? Am I missing
>> something ?
>> >
>> > Thanks,
>> >
>> > Jose Vila.
>> >
>> > On Wed, Jul 11, 2012 at 12:52 PM, Alfredo Cardigliano <
>> cardigliano [at] ntop>
>> > wrote:
>> >
>> >> Peter
>> >> the rules listed are kernel hash filters added by the DAQ module (you
>> can
>> >> disable them with --daq-var no-kernel-filters)
>> >> every time snort emits a verdict, in order to reduce the amount of
>> traffic
>> >> it has to analyze.
>> >> Those rules are automatically removed when idle for more than 5 minutes
>> >> (you can change the default with --daq-var
>> >> kernel-filters-idle-timeout=<seconds>)
>> >>
>> >> Regards
>> >> Alfredo
>> >>
>> >> On Jul 11, 2012, at 12:39 PM, Peter Bates wrote:
>> >>
>> >>> -----BEGIN PGP SIGNED MESSAGE-----
>> >>> Hash: SHA1
>> >>>
>> >>>
>> >>> Hello again all
>> >>>
>> >>> On 11/07/2012 10:46, Alfredo Cardigliano wrote:
>> >>>> the BPF filter is not counted as "Sw Filt. Rules" (this only
>> >>>> includes wildcard and hash rules)
>> >>>
>> >>>> BPF Filtering : Enabled # Sw Filt. Rules : 17176 # Hw Filt.
>> >>>> Rules : 0
>> >>>
>> >>> Okay, so what are the 17176 rules listed?
>> >>> Is this the action of the clustering hashing the packets to the
>> >>> different instances?
>> >>>
>> >>> - --
>> >>> Peter Bates
>> >>> Senior Computer Security Officer Phone: +44(0)2076792049
>> >>> Information Services Division Internal Ext: 32049
>> >>> University College London
>> >>> London WC1E 6BT
>> >>> -----BEGIN PGP SIGNATURE-----
>> >>> Version: GnuPG v2.0.17 (MingW32)
>> >>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>> >>>
>> >>> iQEcBAEBAgAGBQJP/VfGAAoJELhVoVpEMS6RvxAH/RakX+LbYrzy26eYeZSXDc7s
>> >>> sLDosX2v7E1+C6xn8pXvce91mGqml+niZbK+XJyERMEF+kicD/VGWPML1KsVvEDn
>> >>> FATw4lKrzO3hdKEjvjqga0M5QOM99G1GVdJ6JI+agwBszfBASfobjkBs7L+NhTlU
>> >>> mEi3pox0JnN9qGeZ3g6JW1zGur2nkGKQu1H4Dlfa014XHQNnTAgahgSrHTRnAoRX
>> >>> uzK6A2khtssQFPx0X9m/2GjOADc//8xxpt/swhy9nDKmChf3npfcQe36FldCYMdf
>> >>> 7w2lg4uepYJUFGeik4sXv65pkQjx1yGhc4CSoeNz9IdtmpJtmq9N05qd3y6LAdI=
>> >>> =RwA7
>> >>> -----END PGP SIGNATURE-----
>> >>>
>> >>> _______________________________________________
>> >>> Ntop-misc mailing list
>> >>> Ntop-misc [at] listgateway
>> >>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>> >>
>> >> _______________________________________________
>> >> Ntop-misc mailing list
>> >> Ntop-misc [at] listgateway
>> >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>> >>
>> > _______________________________________________
>> > Ntop-misc mailing list
>> > Ntop-misc [at] listgateway
>> > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>>
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc [at] listgateway
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>
>


cardigliano at ntop

Aug 14, 2015, 9:50 AM

Post #9 of 9 (56 views)
Permalink
Re: PF_RING and filter rules [In reply to]

Hi Jose
there is no filtering support at the moment in ZC (kernel is bypassed),
with some card we have hw filtering support in ZC, but I do not think it is supported byh Suricata.

Regards
Alfredo

> On 14 Aug 2015, at 12:39, Jose Vila <jovimon [at] gmail> wrote:
>
> Hi again Alfredo,
>
> I keep having problems of apparent traffic loss even with ZC driver.
>
> I've installed a Suricata just to generate HTTP and DNS logs (alert
> detection disabled) and right after starting it I get about 2k to 4k http
> log entries per minute. Now (24h later) i only get 10 to 30 log entries per
> minute, with punctual spikes of up to 1,5k entries in a minute.
>
> I know there are no kernel filters as I'm using ZC. Is there an equivalent
> in ZC to the normal kernel filters? That would explain this behaviour, as
> it's quite similar to what we had back when we discovered the
> no-kernel-filters daqvar.
>
> Thank you very much.
>
> Regards,
>
> Jose Vila.
>
>
>
> On Mon, Jun 29, 2015 at 10:16 AM, Jose Vila <jovimon [at] gmail> wrote:
>
>> Hello Alfredo,
>> Thank you very much for the explanation.
>> Regards,
>> Jose.
>>
>> On Fri, Jun 26, 2015 at 3:29 PM, Alfredo Cardigliano <cardigliano [at] ntop
>>> wrote:
>>
>>> Hi Jose
>>> since kernel is bypassed with ZC, it is not possible to set kernel
>>> filters at all, thus no-kernel-filters is not needed.
>>>
>>> Best Regards
>>> Alfredo
>>>
>>>> On 26 Jun 2015, at 04:17, Jose Vila <jovimon [at] gmail> wrote:
>>>>
>>>> Excuse me for reviving this thread.
>>>>
>>>> I've been using Snort's DAQ module variable no-kernel-filters for a long
>>>> time, but recently switched to pfring_zc and got this error:
>>>>
>>>> FATAL ERROR: Can't initialize DAQ pfring_zc (-1) -
>>>> pfring_zc_daq_initialize: unsupported variable(no-kernel-filters=1)#012
>>>>
>>>> Why isn't this variable present on the ZC driver ? Am I missing
>>> something ?
>>>>
>>>> Thanks,
>>>>
>>>> Jose Vila.
>>>>
>>>> On Wed, Jul 11, 2012 at 12:52 PM, Alfredo Cardigliano <
>>> cardigliano [at] ntop>
>>>> wrote:
>>>>
>>>>> Peter
>>>>> the rules listed are kernel hash filters added by the DAQ module (you
>>> can
>>>>> disable them with --daq-var no-kernel-filters)
>>>>> every time snort emits a verdict, in order to reduce the amount of
>>> traffic
>>>>> it has to analyze.
>>>>> Those rules are automatically removed when idle for more than 5 minutes
>>>>> (you can change the default with --daq-var
>>>>> kernel-filters-idle-timeout=<seconds>)
>>>>>
>>>>> Regards
>>>>> Alfredo
>>>>>
>>>>> On Jul 11, 2012, at 12:39 PM, Peter Bates wrote:
>>>>>
>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>> Hash: SHA1
>>>>>>
>>>>>>
>>>>>> Hello again all
>>>>>>
>>>>>> On 11/07/2012 10:46, Alfredo Cardigliano wrote:
>>>>>>> the BPF filter is not counted as "Sw Filt. Rules" (this only
>>>>>>> includes wildcard and hash rules)
>>>>>>
>>>>>>> BPF Filtering : Enabled # Sw Filt. Rules : 17176 # Hw Filt.
>>>>>>> Rules : 0
>>>>>>
>>>>>> Okay, so what are the 17176 rules listed?
>>>>>> Is this the action of the clustering hashing the packets to the
>>>>>> different instances?
>>>>>>
>>>>>> - --
>>>>>> Peter Bates
>>>>>> Senior Computer Security Officer Phone: +44(0)2076792049
>>>>>> Information Services Division Internal Ext: 32049
>>>>>> University College London
>>>>>> London WC1E 6BT
>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>> Version: GnuPG v2.0.17 (MingW32)
>>>>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>>>>>
>>>>>> iQEcBAEBAgAGBQJP/VfGAAoJELhVoVpEMS6RvxAH/RakX+LbYrzy26eYeZSXDc7s
>>>>>> sLDosX2v7E1+C6xn8pXvce91mGqml+niZbK+XJyERMEF+kicD/VGWPML1KsVvEDn
>>>>>> FATw4lKrzO3hdKEjvjqga0M5QOM99G1GVdJ6JI+agwBszfBASfobjkBs7L+NhTlU
>>>>>> mEi3pox0JnN9qGeZ3g6JW1zGur2nkGKQu1H4Dlfa014XHQNnTAgahgSrHTRnAoRX
>>>>>> uzK6A2khtssQFPx0X9m/2GjOADc//8xxpt/swhy9nDKmChf3npfcQe36FldCYMdf
>>>>>> 7w2lg4uepYJUFGeik4sXv65pkQjx1yGhc4CSoeNz9IdtmpJtmq9N05qd3y6LAdI=
>>>>>> =RwA7
>>>>>> -----END PGP SIGNATURE-----
>>>>>>
>>>>>> _______________________________________________
>>>>>> Ntop-misc mailing list
>>>>>> Ntop-misc [at] listgateway
>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>>>
>>>>> _______________________________________________
>>>>> Ntop-misc mailing list
>>>>> Ntop-misc [at] listgateway
>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>>>
>>>> _______________________________________________
>>>> Ntop-misc mailing list
>>>> Ntop-misc [at] listgateway
>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>
>>>
>>> _______________________________________________
>>> Ntop-misc mailing list
>>> Ntop-misc [at] listgateway
>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>
>>
>>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Attachments: signature.asc (0.82 KB)

NTop misc RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.