Skip to content
This repository has been archived by the owner on Apr 16, 2021. It is now read-only.

Set Suricata runmode to autofp #242

Closed
GoogleCodeExporter opened this issue Mar 24, 2015 · 6 comments
Closed

Set Suricata runmode to autofp #242

GoogleCodeExporter opened this issue Mar 24, 2015 · 6 comments
Labels
auto-migrated Priority-Low Type-Enhancement

Comments

@GoogleCodeExporter
Copy link 

VictorJ
securityonion, while doing changes, please change your default "runmode" to 
autofp

9:38
VictorJ
it scales better

9:38
securityonion
Is that configurable on the command-line, or only in the config file?

9:38
VictorJ
both
--runmode=autofp

9:39
securityonion
sudo suricata --user sguil --group sguil -c /etc/nsm/qa-eth0/suricata.yaml -i 
eth0 --runmode=autofp -F /etc/nsm/qa-eth0/bpf.conf -l /nsm/sensor_data/qa-eth0
Like that?  Any other changes?
I did read about the autofp performance enhancements.  But are they in 1.2.1 
RELEASE?

9:43
VictorJ
no, but I think it should still be better
okay, very quickly tested seco in my vm
afpacket+autofp performed best
pcap+autofp worst
pcap+auto was better than pcap+autofp, but worse than afpacket+autofp
htop
whoops
vm has 2 cores
obviously, ymmv 

9:46
securityonion
OK, so now you're telling me that I should stick with afpacket and enable 
autofp (and wait for afpacket to support bpf)?  
ymmv, I understand 

9:48
VictorJ
9:48
thats what my totally not significant VM based little test appeared to show 
Regit
VictorJ: cool I did not work for nothing 
does a little victory dance

9:53
VictorJ
better than a victor dance
I can assure you

9:53
securityonion
LOL
OK, so I'm gonna go with this:
suricata --user sguil --group sguil -c /etc/nsm/qa-eth0/suricata.yaml 
--af-packet=eth0 --runmode=autofp -F /etc/nsm/qa-eth0/bpf.conf -l 
/nsm/sensor_data/qa-eth0
9:56
with a note that bpf won't work right now

Original issue reported on code.google.com by doug.bu...@gmail.com on 28 Mar 2012 at 2:05
@GoogleCodeExporter
Copy link
Author 

Updated code in /usr/local/sbin/nsm_sensor_ps-start:

    # Start IDS Engine with unified2 output
    # Determine whether to use Suricata or Snort (default)
    if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null
    then
        # Start Suricata
        [ -z "$SKIP_SNORT_ALERT" ] && process_start "suricata" "--user $SENSOR_USER --group $SENSOR_GROUP -c /etc/nsm/$SENSOR/suricata.yaml --af-packet=$SENSOR_INTERFACE_SHORT --runm
ode=autofp -F /etc/nsm/$SENSOR/bpf.conf -l $SENSOR_LOG_DIR " 
"$PROCESS_PID_DIR/$SENSOR/suricata.pid" "$PROCESS_LOG_DIR/$SENSOR/suricata.log" 
"suricata (alert data)"

Original comment by doug.bu...@gmail.com on 28 Mar 2012 at 5:07

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author 

Updated code in /usr/local/sbin/nsm_sensor_ps-restart:

    # restart the IDS engine
        if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null
    then
        [ -z "$SKIP_SNORT_ALERT" ] && $ACTION "suricata" "--user $SENSOR_USER --group $SENSOR_GROUP -c /etc/nsm/$SENSOR/suricata.yaml --af-packet=$SENSOR_INTERFACE_SHORT --runmode=au
tofp -F /etc/nsm/$SENSOR/bpf.conf -l $SENSOR_LOG_DIR" 
"$PROCESS_PID_DIR/$SENSOR/suricata.pid" "$PROCESS_LOG_DIR/$SENSOR/suricata.log" 
"suricata (alert data)"

Original comment by doug.bu...@gmail.com on 28 Mar 2012 at 5:07

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author 

Added the following to security-onion-upgrade.sh:

sed -i 's| |=|g' $CONF
source $CONF
if [ "$VERSION" = "20120326" ]; then
        NEW="20120329"
        echo "**********************************************"   | $LOGGER
        echo "* Upgrading from $VERSION to $NEW."               | $LOGGER
        echo "**********************************************"   | $LOGGER
        DIR="/nsm/backup/$NEW"
        mkdir -p $DIR                                           | $LOGGER
        cd $DIR

        for FILE in securityonion-nsmnow-admin-scripts_20120329_i386.deb; do
                echo -n "* Downloading $FILE..."                | $LOGGER
                wget -q http://sourceforge.net/projects/security-onion/files/$NEW/$FILE -O $FILE | $LOGGER
                if [ $? -eq 1 ]; then
                        echo "FAIL"     | $LOGGER
                        exit 1
                else
                        echo "OK"       | $LOGGER
                fi
        done

        echo -n "* Installing downloaded packages..." | $LOGGER
        dpkg -i *.deb                                           >> $LOG
        if [ $? -eq 1 ]; then
                echo "FAIL"     | $LOGGER
                exit 1
        else
                echo "OK"       | $LOGGER
        fi

        SENSORS=`grep -v "^#" /etc/nsm/sensortab |awk '{print $1}'`
        for SENSORNAME in $SENSORS; do
                echo "* Creating /etc/nsm/$SENSORNAME/bpf.conf if it doesn't already exist"       | $LOGGER
        touch /etc/nsm/"$SENSORNAME"/bpf.conf
        done

        sed -i "s|VERSION=$VERSION|VERSION=$NEW|g" $CONF        | $LOGGER
        echo "* Upgrade to $NEW complete."                      | $LOGGER
        echo 
fi

Original comment by doug.bu...@gmail.com on 28 Mar 2012 at 5:11

  • Changed state: Started
  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author 

Turned over to testing:

Security Onion Testers,

Security Onion 20120328 is ready for testing!  This update should resolve the 
following issues:
http://code.google.com/p/security-onion/issues/detail?id=114
http://code.google.com/p/security-onion/issues/detail?id=224
http://code.google.com/p/security-onion/issues/detail?id=242
http://code.google.com/p/security-onion/issues/detail?id=243

Please only test on VMs that can be snapshotted.

Please test/verify the following:

- Start with a VM with the latest Security Onion and run Setup (choosing Snort 
- Suricata afpacket mode currently doesn't support bpf) so that we can simulate 
an in-place upgrade

- Run the in-place upgrade (should install new package and create 
/etc/nsm/HOSTNAME-INTERFACE/bpf.conf):
sudo -i "curl -L 
http://sourceforge.net/projects/security-onion/files/20120329/security-onion-upg
rade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

- Add a BPF to /etc/nsm/HOSTNAME-INTERFACE/bpf.conf like the following (for 
testmyids.com):
not host 217.160.51.31

- Run "sudo nsm_sensor_ps-restart" to restart Snort and daemonlogger

- Verify that snort doesn't alert on "curl http://testmyids.com" anymore and 
that daemonlogger didn't record any packets for that destination

- run Setup to simulate a new install

- Run the same test as above.

- Verify issues 224, 242, and 243 are fixed as well

- Anything else I didn't think of


Thanks in advance for your time and effort!

Original comment by doug.bu...@gmail.com on 28 Mar 2012 at 5:37

  • Changed state: Fixed
  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author 

Tested by:
Craig Shannon
Scott Runnels

Original comment by doug.bu...@gmail.com on 29 Mar 2012 at 9:19

  • Changed state: Verified
  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author 

Published:
http://securityonion.blogspot.com/2012/03/security-onion-20120329-now-available.
html

Original comment by doug.bu...@gmail.com on 29 Mar 2012 at 10:03

  • Added labels: ****
  • Removed labels: ****

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
auto-migrated Priority-Low Type-Enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GoogleCodeExporter