Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set Suricata runmode to autofp #242

Closed
GoogleCodeExporter opened this issue Mar 24, 2015 · 6 comments
Closed

Set Suricata runmode to autofp #242

GoogleCodeExporter opened this issue Mar 24, 2015 · 6 comments

Comments

@GoogleCodeExporter
Copy link

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

VictorJ
securityonion, while doing changes, please change your default "runmode" to 
autofp

9:38
VictorJ
it scales better

9:38
securityonion
Is that configurable on the command-line, or only in the config file?

9:38
VictorJ
both
--runmode=autofp

9:39
securityonion
sudo suricata --user sguil --group sguil -c /etc/nsm/qa-eth0/suricata.yaml -i 
eth0 --runmode=autofp -F /etc/nsm/qa-eth0/bpf.conf -l /nsm/sensor_data/qa-eth0
Like that?  Any other changes?
I did read about the autofp performance enhancements.  But are they in 1.2.1 
RELEASE?

9:43
VictorJ
no, but I think it should still be better
okay, very quickly tested seco in my vm
afpacket+autofp performed best
pcap+autofp worst
pcap+auto was better than pcap+autofp, but worse than afpacket+autofp
htop
whoops
vm has 2 cores
obviously, ymmv 

9:46
securityonion
OK, so now you're telling me that I should stick with afpacket and enable 
autofp (and wait for afpacket to support bpf)?  
ymmv, I understand 

9:48
VictorJ
9:48
thats what my totally not significant VM based little test appeared to show 
Regit
VictorJ: cool I did not work for nothing 
does a little victory dance

9:53
VictorJ
better than a victor dance
I can assure you

9:53
securityonion
LOL
OK, so I'm gonna go with this:
suricata --user sguil --group sguil -c /etc/nsm/qa-eth0/suricata.yaml 
--af-packet=eth0 --runmode=autofp -F /etc/nsm/qa-eth0/bpf.conf -l 
/nsm/sensor_data/qa-eth0
9:56
with a note that bpf won't work right now

Original issue reported on code.google.com by doug.bu...@gmail.com on 28 Mar 2012 at 2:05

@GoogleCodeExporter
Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Updated code in /usr/local/sbin/nsm_sensor_ps-start:

    # Start IDS Engine with unified2 output
    # Determine whether to use Suricata or Snort (default)
    if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null
    then
        # Start Suricata
        [ -z "$SKIP_SNORT_ALERT" ] && process_start "suricata" "--user $SENSOR_USER --group $SENSOR_GROUP -c /etc/nsm/$SENSOR/suricata.yaml --af-packet=$SENSOR_INTERFACE_SHORT --runm
ode=autofp -F /etc/nsm/$SENSOR/bpf.conf -l $SENSOR_LOG_DIR " 
"$PROCESS_PID_DIR/$SENSOR/suricata.pid" "$PROCESS_LOG_DIR/$SENSOR/suricata.log" 
"suricata (alert data)"

Original comment by doug.bu...@gmail.com on 28 Mar 2012 at 5:07

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter
Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Updated code in /usr/local/sbin/nsm_sensor_ps-restart:

    # restart the IDS engine
        if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null
    then
        [ -z "$SKIP_SNORT_ALERT" ] && $ACTION "suricata" "--user $SENSOR_USER --group $SENSOR_GROUP -c /etc/nsm/$SENSOR/suricata.yaml --af-packet=$SENSOR_INTERFACE_SHORT --runmode=au
tofp -F /etc/nsm/$SENSOR/bpf.conf -l $SENSOR_LOG_DIR" 
"$PROCESS_PID_DIR/$SENSOR/suricata.pid" "$PROCESS_LOG_DIR/$SENSOR/suricata.log" 
"suricata (alert data)"

Original comment by doug.bu...@gmail.com on 28 Mar 2012 at 5:07

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter
Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Added the following to security-onion-upgrade.sh:

sed -i 's| |=|g' $CONF
source $CONF
if [ "$VERSION" = "20120326" ]; then
        NEW="20120329"
        echo "**********************************************"   | $LOGGER
        echo "* Upgrading from $VERSION to $NEW."               | $LOGGER
        echo "**********************************************"   | $LOGGER
        DIR="/nsm/backup/$NEW"
        mkdir -p $DIR                                           | $LOGGER
        cd $DIR

        for FILE in securityonion-nsmnow-admin-scripts_20120329_i386.deb; do
                echo -n "* Downloading $FILE..."                | $LOGGER
                wget -q http://sourceforge.net/projects/security-onion/files/$NEW/$FILE -O $FILE | $LOGGER
                if [ $? -eq 1 ]; then
                        echo "FAIL"     | $LOGGER
                        exit 1
                else
                        echo "OK"       | $LOGGER
                fi
        done

        echo -n "* Installing downloaded packages..." | $LOGGER
        dpkg -i *.deb                                           >> $LOG
        if [ $? -eq 1 ]; then
                echo "FAIL"     | $LOGGER
                exit 1
        else
                echo "OK"       | $LOGGER
        fi

        SENSORS=`grep -v "^#" /etc/nsm/sensortab |awk '{print $1}'`
        for SENSORNAME in $SENSORS; do
                echo "* Creating /etc/nsm/$SENSORNAME/bpf.conf if it doesn't already exist"       | $LOGGER
        touch /etc/nsm/"$SENSORNAME"/bpf.conf
        done

        sed -i "s|VERSION=$VERSION|VERSION=$NEW|g" $CONF        | $LOGGER
        echo "* Upgrade to $NEW complete."                      | $LOGGER
        echo 
fi

Original comment by doug.bu...@gmail.com on 28 Mar 2012 at 5:11

  • Changed state: Started
  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter
Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Turned over to testing:

Security Onion Testers,

Security Onion 20120328 is ready for testing!  This update should resolve the 
following issues:
http://code.google.com/p/security-onion/issues/detail?id=114
http://code.google.com/p/security-onion/issues/detail?id=224
http://code.google.com/p/security-onion/issues/detail?id=242
http://code.google.com/p/security-onion/issues/detail?id=243

Please only test on VMs that can be snapshotted.

Please test/verify the following:

- Start with a VM with the latest Security Onion and run Setup (choosing Snort 
- Suricata afpacket mode currently doesn't support bpf) so that we can simulate 
an in-place upgrade

- Run the in-place upgrade (should install new package and create 
/etc/nsm/HOSTNAME-INTERFACE/bpf.conf):
sudo -i "curl -L 
http://sourceforge.net/projects/security-onion/files/20120329/security-onion-upg
rade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

- Add a BPF to /etc/nsm/HOSTNAME-INTERFACE/bpf.conf like the following (for 
testmyids.com):
not host 217.160.51.31

- Run "sudo nsm_sensor_ps-restart" to restart Snort and daemonlogger

- Verify that snort doesn't alert on "curl http://testmyids.com" anymore and 
that daemonlogger didn't record any packets for that destination

- run Setup to simulate a new install

- Run the same test as above.

- Verify issues 224, 242, and 243 are fixed as well

- Anything else I didn't think of


Thanks in advance for your time and effort!

Original comment by doug.bu...@gmail.com on 28 Mar 2012 at 5:37

  • Changed state: Fixed
  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter
Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Tested by:
Craig Shannon
Scott Runnels

Original comment by doug.bu...@gmail.com on 29 Mar 2012 at 9:19

  • Changed state: Verified
  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter
Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Published:
http://securityonion.blogspot.com/2012/03/security-onion-20120329-now-available.
html

Original comment by doug.bu...@gmail.com on 29 Mar 2012 at 10:03

  • Added labels: ****
  • Removed labels: ****
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.