Closed Leonardo-DiCaprio closed 4 years ago
vipinpv85
commented
4 years ago > 2/8/2020 -- 21:31:15 - - Loading rule file: /home/adm1n/DPDK-Suricata_3.0-master/suricata-3.0/rules/decoder-events.rules
2/8/2020 -- 21:31:15 - - ACL ipv4 add fail -12
as per configuration maxium number of ACL you have configured is
[ACL-IPV4]
rule_count=32
[ACL-IPV6]
rule_count=32but you are adding decoder-events.rules also. This is not related to any of DPDK changes made, Please fix your configuration.
Leonardo-DiCaprio
commented
4 years ago Sorry to bother. I changed my maxium number of rules to 10000, and nothing else in suricata.yaml has been changed.Then I link my NIC eno1( which using kernel driver) to 0000:03:00.0(which using igb_uio module) with a Fiber. And try to send traffic through tcpreplay by:
tcpreplay -i eno1 mytest.pcap (I got this pcap file through wireshark. It includes enough DNS record)
It seems suricata start to work.
I am wondering how DPDK-suricata detect DNS or HTTP traffic as DPDK works in the second and third layer. I enable dns-log in suricata.yaml but I didn't get any record in dns.log. What should I do if I want to detect DNS traffic?
vipinpv85
commented
4 years ago Sorry to bother. I changed my maxium number of rules to 10000, and nothing else in suricata.yaml If you only want to load specific rule, you should edit suricata,yaml
has been changed.Then I link my NIC eno1( which using kernel driver) to 0000:03:00.0(which using igb_uio module) with a Fiber. And try to send traffic through tcpreplay by:
tcpreplay -i eno1 mytest.pcap (I got this pcap file through wireshark. It includes enough DNS record) I am not clear, if DPDK NIC is
eno1 0000:03:00.0, how can you runtcpreplayon the same port? you should be using different port or different machine.It seems suricata start to work.
I am wondering how DPDK-suricata detect DNS or HTTP traffic as DPDK works in the second and third layer. Please explain, I did not follow your second or third layer.
I enable dns-log in suricata.yaml but I didn't get any record in dns.log. What should I do if I want to detect DNS traffic? you should have dns rules to which traffic hitting DNS should be send
note: this is not the original problem
Leonardo-DiCaprio
commented
4 years ago I am not clear, if DPDK NIC is eno1 0000:03:00.0, how can you run tcpreplay on the same port? you should be using different port or different machine.
My DPDK NIC is enp3s0f0 0000:03:00.0, I don't have another machine but I have another NIC named eno1. So I linked eno1 and enp3s0f0 with a fiber, trying to transform eno1 to a traffic gennerator. And then I use tcp replay to send pcap file to en01.
Please explain, I did not follow your second or third layer.
I mean DPDK can forward second and third layer (in TCP/IP Layering Model) traffic, but DNS is a fourth layer protocol. So how can I detect DNS traffic using dpdk-suricata? Actually, I changed dns.rules, and remove all the rule record in it. And then I add a new record which alert all the dns traffic as a test.
alert dns any any -> any any (msg:"hit dns..";sid:1;)
And I enable the dns-log in suricata.yaml:
default-rule-path: /home/adm1n/DPDK-Suricata_3.0-master/suricata-3.0/rules
rule-files:
- dns-events.rules # available in suricata sources under rules dirThen I run command:
sudo /home/adm1n/DPDK-Suricata_3.0-master/suricata-3.0/src/suricata -c suricata.yaml -s test.rules --dpdkintel
\\ test.rules: alert TCP any any -> any any (msg:"hit tcp..";sid:2;)I got tcp alert in fast.log. But I got nothing in dns.log, which should be a lot of alert of DNS traffic in my pcap file. So I think maybe it is DPDK-suricata who can not detect DNS traffic? Or maybe there are still something wrong in my configuration.
vipinpv85
commented
4 years ago I am not clear, if DPDK NIC is eno1 0000:03:00.0, how can you run tcpreplay on the same port? you should be using different port or different machine.
My DPDK NIC is enp3s0f0 0000:03:00.0, I don't have another machine but I have another NIC named eno1. So I linked eno1 and enp3s0f0 with a fiber, trying to transform eno1 to a traffic gennerator. And then I use tcp replay to send pcap file to en01.
now it is clear, you have 2 ports nic-1 (dpdk and nic-2 (kernel). Using kernel nic port you are sending traffic.Please explain, I did not follow your second or third layer.
I mean DPDK can forward second and third layer (in TCP/IP Layering Model) traffic, I assumed you were having background in Suricata working, but it looks like this is not true.
but DNS is a fourth layer protocol. So how can I detect DNS traffic using dpdk-suricata? Actually, I changed dns.rules, and remove all the rule record in it. And then I add a new record which alert all the dns traffic as a test.
alert dns any any -> any any (msg:"hit dns..";sid:1;)And I enable the dns-log in suricata.yaml:default-rule-path: /home/adm1n/DPDK-Suricata_3.0-master/suricata-3.0/rules rule-files: - dns-events.rules # available in suricata sources under rules dirThen I run command:
sudo /home/adm1n/DPDK-Suricata_3.0-master/suricata-3.0/src/suricata -c suricata.yaml -s test.rules --dpdkintel \\ test.rules: alert TCP any any -> any any (msg:"hit tcp..";sid:2;)I got tcp alert in fast.log. But I got nothing in dns.log, which should be a lot of alert of DNS traffic in my pcap file. So I think maybe it is DPDK-suricat who can not detect DNS traffic? Or maybe there are still something wrong in my configuration. I can not make any comments without understanding your cap traffic (dns request is sent or not)
Leonardo-DiCaprio
commented
4 years ago I can not make any comments without understanding your cap traffic (dns request is sent or not)
I'd like to show you a piece of my pcap file(the original one is too large to upload), which include most kinds of traffic I sent through my nic(except http traffic, which doesn't matter to my experiment). I run tcpreplay to send 10,000 packet to DPDK port, wishing that I can detect some dns traffic. There is my tcpreplay command:
sudo tcpreplay -i eno1 -l 0 -L 10000 ./rec.pcap
Actually, the dpdk-suricata shows that I receive most of the traffic(not all of them, some traffic are too long to send through tcpreplay) :
6/8/2020 -- 12:58:35 - <Notice> - DPDK Started in IDS Mode!!!
^C6/8/2020 -- 13:02:08 - <Notice> - Signal Received. Stopping engine.
6/8/2020 -- 13:02:08 - <Notice> - --- thread stats for Intf: 0 to 0 ---
6/8/2020 -- 13:02:08 - <Notice> - +++ ACL +++
6/8/2020 -- 13:02:08 - <Notice> - - non IP 1187
6/8/2020 -- 13:02:08 - <Notice> - +++ ipv4 7169 +++
6/8/2020 -- 13:02:08 - <Notice> - - lookup: success 7169, fail 0
6/8/2020 -- 13:02:08 - <Notice> - - result: hit 6068, miss 1101
6/8/2020 -- 13:02:08 - <Notice> - +++ ipv6 325 +++
6/8/2020 -- 13:02:08 - <Notice> - - lookup: success 325, fail 0
6/8/2020 -- 13:02:08 - <Notice> - - result: hit 4, miss 321
6/8/2020 -- 13:02:08 - <Notice> - +++ ring +++
6/8/2020 -- 13:02:08 - <Notice> - ERR: full 0, enq 0, tx 0
6/8/2020 -- 13:02:08 - <Notice> - +++ port 0 +++
6/8/2020 -- 13:02:08 - <Notice> - - index 0 pkts RX **8681** TX 0 MISS 0
6/8/2020 -- 13:02:08 - <Notice> - - Errors RX: 0 TX: 0 Mbuff: 0
6/8/2020 -- 13:02:08 - <Notice> - - Queue Dropped pkts: 0
6/8/2020 -- 13:02:08 - <Notice> - ----------------------------------
6/8/2020 -- 13:02:08 - <Notice> - Stats for '0000:03:00.0': pkts: 0, drop: 0 (-nan%), invalid chksum: 0But nothing has been detected yet. And I get a empty dns.log and a eve.log, which shows that only empty packet was received. And I figure out that even though I dont push any traffic to DPDK interface, the dpdk-suricata will receive those empty packet also (maybe it is a tiny bug of my fiber topology ). So I think I dont get any event analyzed actually.
I assumed you were having background in Suricata working, but it looks like this is not true.
Now I know the original Suricata could work out these. So I think there is something wrong with my configuration(suricata.yaml and dpdk-suricata.ini, which I uploaded above), or my building of dpdk-suricata.
vipinpv85
commented
4 years ago ticket opened is for a different issue. Why are still using the same ticket for discussing different problem
I can not make any comments without understanding your cap traffic (dns request is sent or not)
I'd like to show you a piece of my pcap file(the original one is too large to upload), which include most kinds of traffic I sent through my nic(except http traffic, which doesn't matter to my experiment). I run tcpreplay to send 10,000 packet to DPDK port, wishing that I can detect some dns traffic. There is my tcpreplay command:
You are still not sharing the following information
Actually, the dpdk-suricata shows that I receive most of the traffic(not all of them, some traffic are too long to send through tcpreplay) : from the logs it is evident for ipv1 there are total of 769 packets received of which 6068 are sent to suricata, while 1101 are bypassed (there were no rules to offload to ACL).
But nothing has been detected yet. And I get a empty dns.log and a eve.log, which shows that only empty packet was received. Incorrect understanding. It is not empty packets, but there are no events or logs to report. Check if DNS rule is applied or not.
And I figure out that even though I dont push any traffic to DPDK interface, the dpdk-suricata will receive those empty packet too (maybe it is a tiny bug of my fiber topology ). are talking about LLDP? if yes how can you claim this is empty packets?
I assumed you were having a background in Suricata working, but it looks like this is not true.
Now I know the original Suricata could work out these. can you PLEASE confirm you have build
./confure; make -j 10and dns is found ?
So I think there is something wrong with my configuration yes, please check if you have added DNS rules in the logs.
(suricata.yaml and dpdk-suricata.ini, which I uploaded above), or my building of dpdk-suricata.
Leonardo-DiCaprio
commented
4 years ago transfer to #27 And this issue is closed .
I build dpdk-suricata properly and DPDK worked well, but when I run /home/adm1n/DPDK-Suricata_3.0-master/suricata-3.0/src/suricata -c suricata.yaml -s test.rules --dpdkintel -vv I got this error message, I try to figure out if there are something wrong with my configuration.
2/8/2020 -- 21:31:15 - - section (EAL) has entries 8
2/8/2020 -- 21:31:15 - - - name: (-l) value: (1-5)
2/8/2020 -- 21:31:15 - - - name: (--base-virtaddr) value: (0x300000000000)
2/8/2020 -- 21:31:15 - - - name: (--master-lcore) value: (1)
2/8/2020 -- 21:31:15 - - - name: (--socket-mem) value: (128)
2/8/2020 -- 21:31:15 - - - name: (--socket-limit) value: (2048)
2/8/2020 -- 21:31:15 - - - name: (--log-level) value: (eal,8)
2/8/2020 -- 21:31:15 - - - name: (-w) value: (0000:03:00.0)
2/8/2020 -- 21:31:15 - - - name: (-w) value: (0000:03:00.1)
EAL: Detected lcore 0 as core 0 on socket 0
EAL: Detected lcore 1 as core 1 on socket 0
EAL: Detected lcore 2 as core 2 on socket 0
EAL: Detected lcore 3 as core 3 on socket 0
EAL: Detected lcore 4 as core 4 on socket 0
EAL: Detected lcore 5 as core 5 on socket 0
EAL: Detected lcore 6 as core 0 on socket 0
EAL: Detected lcore 7 as core 1 on socket 0
EAL: Detected lcore 8 as core 2 on socket 0
EAL: Detected lcore 9 as core 3 on socket 0
EAL: Detected lcore 10 as core 4 on socket 0
EAL: Detected lcore 11 as core 5 on socket 0
EAL: Support maximum 128 logical core(s) by configuration.
EAL: Detected 12 lcore(s)
EAL: Detected 1 NUMA nodes
EAL: Multi-process socket /var/run/dpdk/rte/mp_socket
EAL: Module /sys/module/vfio_pci not found! error 2 (No such file or directory)
EAL: VFIO PCI modules not loaded
EAL: No free hugepages reported in hugepages-1048576kB
EAL: Probing VFIO support...
EAL: Module /sys/module/vfio not found! error 2 (No such file or directory)
EAL: VFIO modules not loaded, skipping VFIO support...
EAL: Ask a virtual area of 0x2e000 bytes
EAL: Virtual area found at 0x300000000000 (size = 0x2e000)
EAL: Setting up physically contiguous memory...
EAL: Setting maximum number of open files to 1048576
EAL: Detected memory type: socket_id:0 hugepage_sz:2097152
EAL: Creating 4 segment lists: n_segs:8192 socket_id:0 hugepage_sz:2097152
EAL: Ask a virtual area of 0x61000 bytes
EAL: Virtual area found at 0x30000002e000 (size = 0x61000)
EAL: Memseg list allocated: 0x800kB at socket 0
EAL: Ask a virtual area of 0x400000000 bytes
EAL: Virtual area found at 0x300000200000 (size = 0x400000000)
EAL: Ask a virtual area of 0x61000 bytes
EAL: Virtual area found at 0x300400200000 (size = 0x61000)
EAL: Memseg list allocated: 0x800kB at socket 0
EAL: Ask a virtual area of 0x400000000 bytes
EAL: Virtual area found at 0x300400400000 (size = 0x400000000)
EAL: Ask a virtual area of 0x61000 bytes
EAL: Virtual area found at 0x300800400000 (size = 0x61000)
EAL: Memseg list allocated: 0x800kB at socket 0
EAL: Ask a virtual area of 0x400000000 bytes
EAL: Virtual area found at 0x300800600000 (size = 0x400000000)
EAL: Ask a virtual area of 0x61000 bytes
EAL: Virtual area found at 0x300c00600000 (size = 0x61000)
EAL: Memseg list allocated: 0x800kB at socket 0
EAL: Ask a virtual area of 0x400000000 bytes
EAL: Virtual area found at 0x300c00800000 (size = 0x400000000)
EAL: Allocating 64 pages of size 2M on socket 0
EAL: Trying to obtain current memory policy.
EAL: Setting policy MPOL_PREFERRED for socket 0
EAL: Restoring previous memory policy: 0
EAL: Mem alloc validator 'socket-limit' on socket 0 with limit 2147483648 registered
EAL: Added 128M to heap on socket 0
EAL: TSC frequency is ~3696064 KHz
EAL: Master lcore 1 is ready (tid=7f4d761daac0;cpuset=[1])
EAL: lcore 3 is ready (tid=7f4d716dc700;cpuset=[3])
EAL: lcore 2 is ready (tid=7f4d71edd700;cpuset=[2])
EAL: lcore 4 is ready (tid=7f4d70edb700;cpuset=[4])
EAL: lcore 5 is ready (tid=7f4d706da700;cpuset=[5])
EAL: PCI device 0000:03:00.0 on NUMA socket -1
EAL: Invalid NUMA socket, default to 0
EAL: probe driver: 8086:10c9 net_e1000_igb
EAL: PCI memory mapped at 0x301000800000
EAL: PCI memory mapped at 0x301000820000
EAL: PCI memory mapped at 0x301000c20000
EAL: PCI device 0000:03:00.1 on NUMA socket -1
EAL: Invalid NUMA socket, default to 0
EAL: probe driver: 8086:10c9 net_e1000_igb
EAL: PCI memory mapped at 0x301000c24000
EAL: PCI memory mapped at 0x301000c44000
EAL: PCI memory mapped at 0x301001044000
EAL: Module /sys/module/vfio not found! error 2 (No such file or directory)
2/8/2020 -- 21:31:15 - - DPDK ACL setup
2/8/2020 -- 21:31:15 - - DPDK ipv4AclCtx: 0x3000081a1b40 done!
2/8/2020 -- 21:31:15 - - DPDK ipv6AclCtx: 0x3000081a02c0 done!
2/8/2020 -- 21:31:15 - - This is Suricata version 3.0 RELEASE
2/8/2020 -- 21:31:15 - - CPUs/cores online: 12
2/8/2020 -- 21:31:15 - - Adding interface 0000:03:00.0 from config file
2/8/2020 -- 21:31:15 - - Adding interface 0000:03:00.1 from config file
2/8/2020 -- 21:31:15 - - 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 4053 after randomization.
2/8/2020 -- 21:31:15 - - 'default' server has 'response-body-minimal-inspect-size' set to 42119 and 'response-body-inspect-window' set to 16872 after randomization.
2/8/2020 -- 21:31:15 - - DNS request flood protection level: 500
2/8/2020 -- 21:31:15 - - DNS per flow memcap (state-memcap): 524288
2/8/2020 -- 21:31:15 - - DNS global memcap: 16777216
2/8/2020 -- 21:31:15 - - Protocol detection and parser disabled for modbus protocol.
2/8/2020 -- 21:31:15 - - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
2/8/2020 -- 21:31:15 - - preallocated 65535 defrag trackers of size 168
2/8/2020 -- 21:31:15 - - defrag memory usage: 14679896 bytes, maximum: 33554432
2/8/2020 -- 21:31:15 - - AutoFP mode using default "Active Packets" flow load balancer
2/8/2020 -- 21:31:15 - - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
2/8/2020 -- 21:31:15 - - preallocated 1000 hosts of size 136
2/8/2020 -- 21:31:15 - - host memory usage: 398144 bytes, maximum: 16777216
2/8/2020 -- 21:31:15 - - allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64
2/8/2020 -- 21:31:15 - - preallocated 10000 flows of size 288
2/8/2020 -- 21:31:15 - - flow memory usage: 7074304 bytes, maximum: 67108864
2/8/2020 -- 21:31:15 - - stream "prealloc-sessions": 2048 (per thread)
2/8/2020 -- 21:31:15 - - stream "memcap": 33554432
2/8/2020 -- 21:31:15 - - stream "midstream" session pickups: disabled
2/8/2020 -- 21:31:15 - - stream "async-oneside": disabled
2/8/2020 -- 21:31:15 - - stream "checksum-validation": enabled
2/8/2020 -- 21:31:15 - - stream."inline": disabled
2/8/2020 -- 21:31:15 - - stream "max-synack-queued": 5
2/8/2020 -- 21:31:15 - - stream.reassembly "memcap": 134217728
2/8/2020 -- 21:31:15 - - stream.reassembly "depth": 1048576
2/8/2020 -- 21:31:15 - - stream.reassembly "toserver-chunk-size": 2534
2/8/2020 -- 21:31:15 - - stream.reassembly "toclient-chunk-size": 2446
2/8/2020 -- 21:31:15 - - stream.reassembly.raw: enabled
2/8/2020 -- 21:31:15 - - segment pool: pktsize 4, prealloc 256
2/8/2020 -- 21:31:15 - - segment pool: pktsize 16, prealloc 512
2/8/2020 -- 21:31:15 - - segment pool: pktsize 112, prealloc 512
2/8/2020 -- 21:31:15 - - segment pool: pktsize 248, prealloc 512
2/8/2020 -- 21:31:15 - - segment pool: pktsize 512, prealloc 512
2/8/2020 -- 21:31:15 - - segment pool: pktsize 768, prealloc 1024
2/8/2020 -- 21:31:15 - - segment pool: pktsize 1448, prealloc 1024
2/8/2020 -- 21:31:15 - - segment pool: pktsize 65535, prealloc 128
2/8/2020 -- 21:31:15 - - stream.reassembly "chunk-prealloc": 250
2/8/2020 -- 21:31:15 - - stream.reassembly "zero-copy-size": 128
2/8/2020 -- 21:31:15 - - allocated 262144 bytes of memory for the ippair hash... 4096 buckets of size 64
2/8/2020 -- 21:31:15 - - preallocated 1000 ippairs of size 136
2/8/2020 -- 21:31:15 - - ippair memory usage: 398144 bytes, maximum: 16777216
2/8/2020 -- 21:31:15 - - using magic-file /usr/share/file/magic
2/8/2020 -- 21:31:15 - - Delayed detect disabled
2/8/2020 -- 21:31:15 - - IP reputation disabled
2/8/2020 -- 21:31:15 - - Loading rule file: /home/adm1n/DPDK-Suricata_3.0-master/suricata-3.0/rules/decoder-events.rules
2/8/2020 -- 21:31:15 - - ACL ipv4 add fail -12
2/8/2020 -- 21:31:15 - - - Proto 0x0 Mask 0xFF
2/8/2020 -- 21:31:15 - - - SRC IP 0 Mask ffffffff
2/8/2020 -- 21:31:15 - - - DST IP 0 Mask ffffffff
2/8/2020 -- 21:31:15 - - [ERRCODE: SC_ERR_DPDKINTEL_CONFIG_FAILED(275)] - Acl IPv4 failed -12!
AND my PCI status:
Network devices using DPDK-compatible driver
0000:03:00.0 '82576 Gigabit Network Connection 10c9' drv=igb_uio unused=igb 0000:03:00.1 '82576 Gigabit Network Connection 10c9' drv=igb_uio unused=igb
Network devices using kernel driver 0000:00:1f.6 'Ethernet Connection (7) I219-LM 15bb' if=eno1 drv=e1000e unused=igb_uio Active
AND dpdk intel ports
--- DPDK Intel Ports ---
Overall Ports: 2
-- Port: 0 --- MTU: 1500 --- MAX RX MTU: 16383 --- Driver: net_e1000_igb --- Index: 0 --- Queues RX 16 & TX 16 --- SRIOV VF: 0 --- Offload RX: 12a0f TX: 803f --- CPU NUMA node: 0 --- Status: Down Led for 5 sec.......
-- Port: 1 --- MTU: 1500 --- MAX RX MTU: 16383 --- Driver: net_e1000_igb --- Index: 0 --- Queues RX 16 & TX 16 --- SRIOV VF: 0 --- Offload RX: 12a0f TX: 803f --- CPU NUMA node: 0 --- Status: Down Led for 5 sec.......
AND there are my config file:
suricata.yaml.txt
dpdk-suricata.ini.txt
And I got a strace output file for this.
strace.output.txt
If there are something wrong with my configuration?