Setup: ask user for MTU of sniffing interface(s) and allow VLAN tags #925
Comments
|
Would there be any case, (other than when the user specifies otherwise) that the MTU should equal anything other than "1502" in /etc/network/interfaces? Also, would a default of "config snaplen: 1518" in snort.conf affect operation if a user was not using VLAN tagging? If these assumptions are correct, I imagine sosetup-network, sosetup should be modified similar to the attached diff(?). Or, do you think the user should be given the option to specify a custom configuration for Snort's snaplen as well? Thanks, |
I don't believe so.
It will waste a small amount of resources but I think it should be negligible.
Yes, very close to what I had in mind. Some recommendations:
Thoughts? Thanks, Wes! |
|
I think, I may have misunderstood. So, to be clear, is/are Suricata/Snort only adding 16 to get to 1518, or are they to add 16 regardless of what the MTU is? Thanks, |
|
If I remember correctly from the testing I did in the links above, Suricata was adding 16 to the MTU of the sniffing interface, regardless of what that MTU was (14 would be for standard ethernet header, not exactly sure what the other 2 bytes were intended for). Should probably test again to make sure this is still the case. I'm almost tempted to recommend rounding MTU up to a higher number like 1550 to make sure it's large enough to account for Q-in-Q, MPLS, etc. |
|
I just tested with an MTU of 1518 in /etc/network/interfaces, running sosetup and configuring Suricata, and PF_RING showed (after running grep -A20 "Suricata" /proc/net/pf_ring/eth |grep "Bucket Len") a Bucket Len of 1534 (+16). Continuing, I specified a value of 1550 in /etc/network/interfaces... Suricata would increase the Bucket Len to 1566 (+16). Also tried with MTU set to 1504 in /etc/network/interfaces and ended up with a Bucket Len of 1520 (+16). It appears the addition of 16 to the MTU defined in /etc/network/interfaces is consistent. I couldn't imagine a minimum of 1550 would be much more taxing than that of 1518--less so than jumbo frames, I assume :) So, from here on, do you think it would be best to set the minimum/default in /etc/network/interfaces to 1550? From there Suricata would add 16 (to 1566), and Snort would match the 1566 (from /etc/network/interfaces/ MTU (1550) +16 ) in snort.conf? Thanks, |
|
Yep, let's try it and see how it goes. Thanks, Wes! |
|
submitted for testing: |
Background:
https://github.com/Security-Onion-Solutions/security-onion/wiki/VLAN-Traffic
https://groups.google.com/d/topic/security-onion/94s7beFDMU0/discussion
https://groups.google.com/d/topic/security-onion/1sDHn0AwDXc/discussion
Setup should ask user for the MTU of their sniffing interface(s). Default value should be 1500.
sosetup-network should write the MTU into /etc/network/interfaces. Per the VLAN article above, we should add 2 to the user's MTU so that when Suricata adds 16, we get a total of 18 for the header which will allow for VLAN tags.
sosetup should configure snort.conf with correct snaplen to handle VLAN tags automatically.
sosetup.conf needs to be updated to include this new variable.
Example:
Setup prompts user for MTU of sniffing interface eth1 and defaults to 1500.
User accepts default.
sosetup-network writes "mtu 1502" into /etc/network/interfaces.
sosetup should write "config snaplen: 1518" into snort.conf.
The text was updated successfully, but these errors were encountered: