New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Setup: ask user for MTU of sniffing interface(s) and allow VLAN tags #925

Closed
dougburks opened this Issue May 20, 2016 · 9 comments

Comments

Projects
None yet
2 participants
@dougburks
Contributor

dougburks commented May 20, 2016

Background:
https://github.com/Security-Onion-Solutions/security-onion/wiki/VLAN-Traffic
https://groups.google.com/d/topic/security-onion/94s7beFDMU0/discussion
https://groups.google.com/d/topic/security-onion/1sDHn0AwDXc/discussion

Setup should ask user for the MTU of their sniffing interface(s). Default value should be 1500.

sosetup-network should write the MTU into /etc/network/interfaces. Per the VLAN article above, we should add 2 to the user's MTU so that when Suricata adds 16, we get a total of 18 for the header which will allow for VLAN tags.

sosetup should configure snort.conf with correct snaplen to handle VLAN tags automatically.

sosetup.conf needs to be updated to include this new variable.

Example:
Setup prompts user for MTU of sniffing interface eth1 and defaults to 1500.
User accepts default.
sosetup-network writes "mtu 1502" into /etc/network/interfaces.
sosetup should write "config snaplen: 1518" into snort.conf.

@weslambert

This comment has been minimized.

Show comment
Hide comment
@weslambert

weslambert Jun 21, 2016

Collaborator

Would there be any case, (other than when the user specifies otherwise) that the MTU should equal anything other than "1502" in /etc/network/interfaces?

Also, would a default of "config snaplen: 1518" in snort.conf affect operation if a user was not using VLAN tagging?

If these assumptions are correct, I imagine sosetup-network, sosetup should be modified similar to the attached diff(?).

Or, do you think the user should be given the option to specify a custom configuration for Snort's snaplen as well?

Thanks,
Wes

diff.txt

Collaborator

weslambert commented Jun 21, 2016

Would there be any case, (other than when the user specifies otherwise) that the MTU should equal anything other than "1502" in /etc/network/interfaces?

Also, would a default of "config snaplen: 1518" in snort.conf affect operation if a user was not using VLAN tagging?

If these assumptions are correct, I imagine sosetup-network, sosetup should be modified similar to the attached diff(?).

Or, do you think the user should be given the option to specify a custom configuration for Snort's snaplen as well?

Thanks,
Wes

diff.txt

@dougburks

This comment has been minimized.

Show comment
Hide comment
@dougburks

dougburks Jun 21, 2016

Contributor

Would there be any case, (other than when the user specifies otherwise) that the MTU should equal anything other than "1502" in /etc/network/interfaces?

I don't believe so.

Also, would a default of "config snaplen: 1518" in snort.conf affect operation if a user was not using VLAN tagging?

It will waste a small amount of resources but I think it should be negligible.

If these assumptions are correct, I imagine sosetup-network, sosetup should be modified similar to the attached diff(?).

Yes, very close to what I had in mind. Some recommendations:

  • Since Suricata takes the MTU of the sniffing interface and adds 16, perhaps we should make Snort behave similarly for consistency. So sosetup would check the MTU of the sniffing interface, add 16, and then set that value in snort.conf.
  • I'm thinking the question in sosetup-network should be something like:
    What is the default MTU of your network? Most networks use a default MTU of 1500 so that is the default here. Please note that Snort and Suricata will add 16 to whatever value you set here and use the resulting value for snaplen to allow for VLAN tagged traffic.

Thoughts?

Thanks, Wes!

Contributor

dougburks commented Jun 21, 2016

Would there be any case, (other than when the user specifies otherwise) that the MTU should equal anything other than "1502" in /etc/network/interfaces?

I don't believe so.

Also, would a default of "config snaplen: 1518" in snort.conf affect operation if a user was not using VLAN tagging?

It will waste a small amount of resources but I think it should be negligible.

If these assumptions are correct, I imagine sosetup-network, sosetup should be modified similar to the attached diff(?).

Yes, very close to what I had in mind. Some recommendations:

  • Since Suricata takes the MTU of the sniffing interface and adds 16, perhaps we should make Snort behave similarly for consistency. So sosetup would check the MTU of the sniffing interface, add 16, and then set that value in snort.conf.
  • I'm thinking the question in sosetup-network should be something like:
    What is the default MTU of your network? Most networks use a default MTU of 1500 so that is the default here. Please note that Snort and Suricata will add 16 to whatever value you set here and use the resulting value for snaplen to allow for VLAN tagged traffic.

Thoughts?

Thanks, Wes!

@weslambert

This comment has been minimized.

Show comment
Hide comment
@weslambert

weslambert Jun 21, 2016

Collaborator

I think, I may have misunderstood.

So, to be clear, is/are Suricata/Snort only adding 16 to get to 1518, or are they to add 16 regardless of what the MTU is?

Thanks,
Wes

Collaborator

weslambert commented Jun 21, 2016

I think, I may have misunderstood.

So, to be clear, is/are Suricata/Snort only adding 16 to get to 1518, or are they to add 16 regardless of what the MTU is?

Thanks,
Wes

@dougburks

This comment has been minimized.

Show comment
Hide comment
@dougburks

dougburks Jun 22, 2016

Contributor

If I remember correctly from the testing I did in the links above, Suricata was adding 16 to the MTU of the sniffing interface, regardless of what that MTU was (14 would be for standard ethernet header, not exactly sure what the other 2 bytes were intended for). Should probably test again to make sure this is still the case. I'm almost tempted to recommend rounding MTU up to a higher number like 1550 to make sure it's large enough to account for Q-in-Q, MPLS, etc.

Contributor

dougburks commented Jun 22, 2016

If I remember correctly from the testing I did in the links above, Suricata was adding 16 to the MTU of the sniffing interface, regardless of what that MTU was (14 would be for standard ethernet header, not exactly sure what the other 2 bytes were intended for). Should probably test again to make sure this is still the case. I'm almost tempted to recommend rounding MTU up to a higher number like 1550 to make sure it's large enough to account for Q-in-Q, MPLS, etc.

@weslambert

This comment has been minimized.

Show comment
Hide comment
@weslambert

weslambert Jun 22, 2016

Collaborator

I just tested with an MTU of 1518 in /etc/network/interfaces, running sosetup and configuring Suricata, and PF_RING showed (after running grep -A20 "Suricata" /proc/net/pf_ring/eth |grep "Bucket Len") a Bucket Len of 1534 (+16). Continuing, I specified a value of 1550 in /etc/network/interfaces... Suricata would increase the Bucket Len to 1566 (+16). Also tried with MTU set to 1504 in /etc/network/interfaces and ended up with a Bucket Len of 1520 (+16). It appears the addition of 16 to the MTU defined in /etc/network/interfaces is consistent.

I couldn't imagine a minimum of 1550 would be much more taxing than that of 1518--less so than jumbo frames, I assume :)

So, from here on, do you think it would be best to set the minimum/default in /etc/network/interfaces to 1550? From there Suricata would add 16 (to 1566), and Snort would match the 1566 (from /etc/network/interfaces/ MTU (1550) +16 ) in snort.conf?

Thanks,
Wes

Collaborator

weslambert commented Jun 22, 2016

I just tested with an MTU of 1518 in /etc/network/interfaces, running sosetup and configuring Suricata, and PF_RING showed (after running grep -A20 "Suricata" /proc/net/pf_ring/eth |grep "Bucket Len") a Bucket Len of 1534 (+16). Continuing, I specified a value of 1550 in /etc/network/interfaces... Suricata would increase the Bucket Len to 1566 (+16). Also tried with MTU set to 1504 in /etc/network/interfaces and ended up with a Bucket Len of 1520 (+16). It appears the addition of 16 to the MTU defined in /etc/network/interfaces is consistent.

I couldn't imagine a minimum of 1550 would be much more taxing than that of 1518--less so than jumbo frames, I assume :)

So, from here on, do you think it would be best to set the minimum/default in /etc/network/interfaces to 1550? From there Suricata would add 16 (to 1566), and Snort would match the 1566 (from /etc/network/interfaces/ MTU (1550) +16 ) in snort.conf?

Thanks,
Wes

@dougburks

This comment has been minimized.

Show comment
Hide comment
@dougburks

dougburks Jun 22, 2016

Contributor

Yep, let's try it and see how it goes. Thanks, Wes!

Contributor

dougburks commented Jun 22, 2016

Yep, let's try it and see how it goes. Thanks, Wes!

@weslambert

This comment has been minimized.

Show comment
Hide comment
Collaborator

weslambert commented Jun 24, 2016

@dougburks

This comment has been minimized.

Show comment
Hide comment
Contributor

dougburks commented Jul 2, 2016

@dougburks

This comment has been minimized.

Show comment
Hide comment

@dougburks dougburks closed this Jul 18, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment