Snort mailing list archives
Re: Some confusion about Snort ++
From: Michael Altizer <mialtize () cisco com>
Date: Thu, 22 Sep 2016 10:54:19 -0400
It's sort of one of those tricky situations where it did what you asked it to do. :) It can't really print out a warning because there are legitimate reasons for asking it to do what you configured it to do and it doesn't know whether it's actually a good idea or not. For example, if you have a DAQ module (and backing source) that will start automatically (like AFPacket using FANOUT support or maybe via a hint from instance-specific DAQ variables) loadbalancing across all instances that have opened the same interfaces.
When not in file read-back mode, Snort will operate like so: - There will be N packet processing threads based on the -z option.- Each thread will create an instance of the chosen DAQ module using the global interface specification and global set of DAQ variables UNLESS they were overridden with instance-specific values. - Instance-specific values are specified from the command line by invoking the -i option multiple times. The first interface specifier will be both the global interface specification and the instance-specific interface specification for the first DAQ module instance. - The global set of DAQ variables (--daq-var) will be those specified before any interface specification (-i). - The per-instance set of DAQ variables will be those specified after an interface specification but before the next. Those variables will only be passed to the DAQ module instance that uses the most recently given interface specification. - When DAQ module instances are configured, any global DAQ variables will be set and then any instance-specific DAQ variables. This means that an instance will "inherit" the global DAQ variables and can override those by specifying them again with different values (say, global has 'debug=1' and instance-specific overrides it with 'debug=0') or add to them by specifying other variables entirely.
We hope in the future to give the option to split packet processing threads from packet acquisition threads using internal loadbalancing and allow a many-to-one or many-to-different-many relationship, which I'm guessing is what you were expecting to happen when you told it to use 5 packet threads on a single interface. (If I'm wrong in that assumption, please explain what you were expecting to happen.)
So, given the above, the answer to your second question would be to do this:snort --daq-dir /usr/local/lib/daq/ -i enp12s0 -i enp12s1 --bpf 'not ip' -z 2
The simple case for the AFPacket with FANOUT example above would be: snort --daq afpacket --daq-var fanout_type=hash -i eth1 -z 5This would create and start five instances of the AFPacket DAQ module all on the interface 'eth1' and automatically loadbalance across them in the kernel using the FANOUT capabilities configured by the global DAQ variable 'fanout_type=hash'.
For any sufficiently complicated instance setup, the better method of configuration will be via configuration file rather than command line interfaces. So, following the example I gave above, here's how a modified AFPacket DAQ module that can loadbalance based on DAQ variables (lb_sensor_total is the total number of instances to loadbalance across and is set globally, and lb_sensor_id is the instance's loadbalancing ID within that total and is set per-instance) would be configured using the LUA configuration files:
daq =
{
module_dirs = {
'/usr/local/sf/lib/daq'
},
module = 'afpacket',
input_spec = 'eth1',
variables = {
'lb_total=4'
},
instances = {
{
id = 0,
variables = {
'lb_id=1',
}
},
{
id = 1,
variables = {
'lb_id=2',
}
},
{
id = 2,
variables = {
'lb_id=3',
}
},
{
id = 3,
variables = {
'lb_id=4',
}
},
}
}
If you wanted to do the above using command line options, it would look
like this:
snort --daq-dir /usr/local/sf/lib/daq --daq afpacket --daq-var
lb_total=4 -i eth1 --daq-var lb_id=1 -i eth1 --daq-var lb_id=2 -i eth1
--daq-var lb_id=3 -i eth1 --daq-var lb_id=4
The same interface specification has to be given multiple times to let
Snort know we have moved on to the next set of instance-specific DAQ
variables.
I hope that answers your questions. On 09/22/2016 09:06 AM, Nacht Z wrote:
Hello: I have some confusion about the multithread in Snort++.I found that when use the option |-z| like |snort --daq-dir /usr/local/lib/daq/ -i enp12s0 --bpf 'not ip' -z 5|. I found that both five threads run and analyse the same NIC. So when Snort++ try to open one NIC five times, what will happend. Failed in open or all succssed and get the same traffic in all thread.(I have tried to search it in system log but found nothing in log.) If the snort++ can get the same traffic in five threads, I can’t understand why it need five thread, all of them are doing the same thing. If not, I think the program need to print warning message in the screen or log. The second question. if I use more than one interface like |snort --daq-dir /usr/local/lib/daq/ -i enp12s0:enp12s1 --bpf 'not ip' -z 5| , the snort++ will show that every thread of the snort++ get traffic from both NICs. So if I want use enp12s0 in thread 0 and use enp12s1 in thread 1. What should I do.Hope someone can help me. Thanks very much. ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Some confusion about Snort ++ Nacht Z (Sep 22)
- Re: Some confusion about Snort ++ Michael Altizer (Sep 22)