Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NTop: Misc

PF_RING and filter rules

 

 

NTop misc RSS feed   Index | Next | Previous | View Threaded


peter.bates at ucl

Jul 9, 2012, 3:57 AM

Post #1 of 4 (649 views)
Permalink
PF_RING and filter rules

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all...

Just a quick question.

I'm running 5 apps under PF_RING.

1 is unclustered and uses a BPF expression, and the proc output says:

BPF Filtering : Enabled
# Sw Filt. Rules : 0
# Hw Filt. Rules : 0

The other 4 instances are the same application (Snort) and the same
cluster-id with a BPF expression but show:

BPF Filtering : Enabled
# Sw Filt. Rules : 17176
# Hw Filt. Rules : 0

BPF Filtering : Enabled
# Sw Filt. Rules : 16305
# Hw Filt. Rules : 0

Why is the first application '0' even though it has a (software) BPF
expression, and the others are differing numbers?

Thanks.

- --
Peter Bates
Senior Computer Security Officer Phone: +44(0)2076792049
Information Services Division Internal Ext: 32049
University College London
London WC1E 6BT

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP+rkDAAoJELhVoVpEMS6RcN8H/AyaCO4LNJdUM7wGqsfwsnT1
hDfkeoeRtmodWKpLRqF3sxQPDiZVcOZ5OJU3oAUqQSvRxYlgKy+knM3k198MbNqH
x6+tJUzUyMdS+yQCIK5DNrAMTHzFf/P4db3eAUoJGANntx51cNRzdHQqGV1Vhp40
VKA4m5y96yTlfJtNLK1MmuRzqJHlwfi8usw5JiHo6yUmGhGqtLEseC4dKlHV06Gq
EsZIGIqMnsKpY/3joU10mutaT4CblJdhqDkSARJeACKRuBB7FLgQvQ60hAON8uuq
e/woh2J9vks41UxXMmVRhfqGsxePkctsNDfmY9nBcE/o0qlWnfnYUbNiBG34qLw=
=SOEV
-----END PGP SIGNATURE-----

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


cardigliano at ntop

Jul 11, 2012, 2:46 AM

Post #2 of 4 (585 views)
Permalink
Re: PF_RING and filter rules [In reply to]

Peter
the BPF filter is not counted as "Sw Filt. Rules" (this only includes wildcard and hash rules)

Regards
Alfredo

On Jul 9, 2012, at 12:57 PM, Peter Bates wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello all...
>
> Just a quick question.
>
> I'm running 5 apps under PF_RING.
>
> 1 is unclustered and uses a BPF expression, and the proc output says:
>
> BPF Filtering : Enabled
> # Sw Filt. Rules : 0
> # Hw Filt. Rules : 0
>
> The other 4 instances are the same application (Snort) and the same
> cluster-id with a BPF expression but show:
>
> BPF Filtering : Enabled
> # Sw Filt. Rules : 17176
> # Hw Filt. Rules : 0
>
> BPF Filtering : Enabled
> # Sw Filt. Rules : 16305
> # Hw Filt. Rules : 0
>
> Why is the first application '0' even though it has a (software) BPF
> expression, and the others are differing numbers?
>
> Thanks.
>
> - --
> Peter Bates
> Senior Computer Security Officer Phone: +44(0)2076792049
> Information Services Division Internal Ext: 32049
> University College London
> London WC1E 6BT
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJP+rkDAAoJELhVoVpEMS6RcN8H/AyaCO4LNJdUM7wGqsfwsnT1
> hDfkeoeRtmodWKpLRqF3sxQPDiZVcOZ5OJU3oAUqQSvRxYlgKy+knM3k198MbNqH
> x6+tJUzUyMdS+yQCIK5DNrAMTHzFf/P4db3eAUoJGANntx51cNRzdHQqGV1Vhp40
> VKA4m5y96yTlfJtNLK1MmuRzqJHlwfi8usw5JiHo6yUmGhGqtLEseC4dKlHV06Gq
> EsZIGIqMnsKpY/3joU10mutaT4CblJdhqDkSARJeACKRuBB7FLgQvQ60hAON8uuq
> e/woh2J9vks41UxXMmVRhfqGsxePkctsNDfmY9nBcE/o0qlWnfnYUbNiBG34qLw=
> =SOEV
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


peter.bates at ucl

Jul 11, 2012, 3:39 AM

Post #3 of 4 (589 views)
Permalink
Re: PF_RING and filter rules [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello again all

On 11/07/2012 10:46, Alfredo Cardigliano wrote:
> the BPF filter is not counted as "Sw Filt. Rules" (this only
> includes wildcard and hash rules)

> BPF Filtering : Enabled # Sw Filt. Rules : 17176 # Hw Filt.
> Rules : 0

Okay, so what are the 17176 rules listed?
Is this the action of the clustering hashing the packets to the
different instances?

- --
Peter Bates
Senior Computer Security Officer Phone: +44(0)2076792049
Information Services Division Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP/VfGAAoJELhVoVpEMS6RvxAH/RakX+LbYrzy26eYeZSXDc7s
sLDosX2v7E1+C6xn8pXvce91mGqml+niZbK+XJyERMEF+kicD/VGWPML1KsVvEDn
FATw4lKrzO3hdKEjvjqga0M5QOM99G1GVdJ6JI+agwBszfBASfobjkBs7L+NhTlU
mEi3pox0JnN9qGeZ3g6JW1zGur2nkGKQu1H4Dlfa014XHQNnTAgahgSrHTRnAoRX
uzK6A2khtssQFPx0X9m/2GjOADc//8xxpt/swhy9nDKmChf3npfcQe36FldCYMdf
7w2lg4uepYJUFGeik4sXv65pkQjx1yGhc4CSoeNz9IdtmpJtmq9N05qd3y6LAdI=
=RwA7
-----END PGP SIGNATURE-----

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


cardigliano at ntop

Jul 11, 2012, 3:52 AM

Post #4 of 4 (603 views)
Permalink
Re: PF_RING and filter rules [In reply to]

Peter
the rules listed are kernel hash filters added by the DAQ module (you can disable them with --daq-var no-kernel-filters)
every time snort emits a verdict, in order to reduce the amount of traffic it has to analyze.
Those rules are automatically removed when idle for more than 5 minutes (you can change the default with --daq-var kernel-filters-idle-timeout=<seconds>)

Regards
Alfredo

On Jul 11, 2012, at 12:39 PM, Peter Bates wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello again all
>
> On 11/07/2012 10:46, Alfredo Cardigliano wrote:
>> the BPF filter is not counted as "Sw Filt. Rules" (this only
>> includes wildcard and hash rules)
>
>> BPF Filtering : Enabled # Sw Filt. Rules : 17176 # Hw Filt.
>> Rules : 0
>
> Okay, so what are the 17176 rules listed?
> Is this the action of the clustering hashing the packets to the
> different instances?
>
> - --
> Peter Bates
> Senior Computer Security Officer Phone: +44(0)2076792049
> Information Services Division Internal Ext: 32049
> University College London
> London WC1E 6BT
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJP/VfGAAoJELhVoVpEMS6RvxAH/RakX+LbYrzy26eYeZSXDc7s
> sLDosX2v7E1+C6xn8pXvce91mGqml+niZbK+XJyERMEF+kicD/VGWPML1KsVvEDn
> FATw4lKrzO3hdKEjvjqga0M5QOM99G1GVdJ6JI+agwBszfBASfobjkBs7L+NhTlU
> mEi3pox0JnN9qGeZ3g6JW1zGur2nkGKQu1H4Dlfa014XHQNnTAgahgSrHTRnAoRX
> uzK6A2khtssQFPx0X9m/2GjOADc//8xxpt/swhy9nDKmChf3npfcQe36FldCYMdf
> 7w2lg4uepYJUFGeik4sXv65pkQjx1yGhc4CSoeNz9IdtmpJtmq9N05qd3y6LAdI=
> =RwA7
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

NTop misc RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.