Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IPS: Add promisc mode / physical interface selection #935

Closed
AdSchellevis opened this issue May 11, 2016 · 9 comments

Comments

Projects
None yet
4 participants
@AdSchellevis
Copy link
Member

commented May 11, 2016

For netmap to function correctly on vlan interfaces, it needs to be able to capture data from the physical interface.
We should add two features here:

  1. add physical interfaces to the interface list
  2. provide the option to set disable-promisc to no

@AdSchellevis AdSchellevis added this to the 16.7 milestone May 11, 2016

@AdSchellevis AdSchellevis self-assigned this May 11, 2016

@AdSchellevis

This comment has been minimized.

Copy link
Member Author

commented May 11, 2016

fichtner added a commit that referenced this issue May 24, 2016

(IPS) add Add promisc mode / physical interface selection, closes #935
(cherry picked from commit 3bacc74)
(cherry picked from commit 8b4b5bb)
@oparoz

This comment has been minimized.

Copy link
Contributor

commented May 30, 2016

In the contextual help, there is this sentence "this is required to actually capture data on the physical interface".

Do you mean that if we have em0 and em0_vlan10, we need to enable promiscuous mode in order to be able to capture data on em0? I'm asking because traffic was captured just fine on VLANs without that option, so maybe it should be explained that this is to capture traffic on the parent interface.

@fichtner

This comment has been minimized.

Copy link
Member

commented May 30, 2016

This seems to shift from driver to driver, from logical interface to logical interface. We know that e.g. PPPoE doesn't work in netmap mode although it has been added for pcap listening during 3.0 development. It's overly weird, and we really need to move on and let upstream take care of this accordingly.

If it works for you, that's great. Help share that knowledge. :)

@oparoz

This comment has been minimized.

Copy link
Contributor

commented May 30, 2016

This seems to shift from driver to driver, from logical interface to logical interface.

Ah, OK, makes sense then. Upstream should really provide an auto switch for that setting.

If it works for you, that's great. Help share that knowledge. :)

I've enabled netmap on re0 only and can monitor all its VLANs without enabling promiscuous mode, but I can only use it for testing as Suricata doesn't work with software netmap and because the netmap patches for Realtek drivers are broken.

@fichtner

This comment has been minimized.

Copy link
Member

commented May 30, 2016

Some of this may change with 10.3. The master branch for src.git is 10.3 now and there is a 16.7 config in tools for easy build. ASLR backport pending, otherwise all in.

@oparoz

This comment has been minimized.

Copy link
Contributor

commented May 30, 2016

I'm not too hopeful since I've tested both netmap and the re driver from 11, but maybe some other changes in the kernel make it so that the interrupt don't pile up when the queue is full.
I'll check it out once ASLR is in.

@fichtner

This comment has been minimized.

Copy link
Member

commented May 30, 2016

ok, thanks for mentioning. I really thought that netmap would shape up now with native suricata support. :/

@oparoz

This comment has been minimized.

Copy link
Contributor

commented May 30, 2016

One problem is that there is a big divergence between the FreeBSD netmap and the official netmap. The official one crashes the kernel and I don't know what to cherry-pick to make it work as I'm not a driver hacker.

The other problem is in the hands of the Suricata team. If they can make it work with software netmap, then everybody could use IPS, at the cost of more CPU use.

@L1ghtn1ng

This comment has been minimized.

Copy link

commented May 30, 2016

Well we know from #940 that not using the wan interface and just the LAN interface we get IPS alerts, so in that sense to me it makes sense to select the vlan interfaces and LAN and see what happens. Also do we have any update on #940?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.