Сетевые карты работающие с Netmap…
Доброго времени суток!
IDS / IPS Suricata может работать с сетевыми картами в Inline режиме, но для этого нужно чтобы драйвер сетевой карты поддерживал netmap.
Так вот, не могли бы люди у которых уже выставлен этот режим, и всё работает отписаться с какими сетевыми они работают?!
Указывайте пожалуйста полное название карточки и если можно с какой версией PFsense она у вас работает в этом режиме.
Думаю и сетевые с которыми не работает тоже можно писать чтобы народ не гадал на счёт этих карт.
werter last edited by
Прим. Важно :
netmap does not use features such as checksum offloading, TCP
segmentation offloading, encryption, VLAN encapsulation/decapsulation,
etc. When using netmap to exchange packets with the host stack, make
sure to disable these features.
Прим2. Доступно описано как работает IDPS Suricata https://openisf.files.wordpress.com/2015/11/suricata_mixed_mode_g-longo.pdf
In legacy mode, the pcap library is used to make a copy (clone if you will) of every packet as it comes in from the NIC on its way to the pf firewall engine. The original packet continues on to the pf firewall engine and is either passed or blocked depending on the current rules in the firewall. Meanwhile, the cloned packet is sent over to Suricata (or Snort if using that package) for inspection against the IDS/IPS rules. Should the cloned packet (or packets, since sometimes Suricata needs to see a group of packets before a decision can be made) be judged as "bad" by the Suricata engine, then a system call is made to insert the offending IP address from the packet into a special table in the pf firewall engine called snort2c. IP addresses in this special table are blocked. However, note that this decision making and subsequent insertion of the IP address into the snort2c table has happened well after the original packet (or packets if a group of packets was required to make a decision) has traversed the pf engine. So that original packet will have already gotten past the IPS mechanism. Packets that subsequently come through from the same IP address will now get blocked, though. Hence I use the term "hybrid IDS/IPS" because a true IPS would never leak a packet. A true IPS would hold up the original packet while it was being inspected, and then either pass it or drop it. Legacy mode does not hold up the original packet. It is allowed to continue on to the firewall while the cloned copy is used to make the decision for blocking future packets from the IP address.
With the new inline IPS mode, Suricata activates and uses the relatively new Netmap mechanism that was added to FreeBSD. Netmap is a way for applications to create a highspeed pipe between the NIC driver layer and the rest of the system. So packets coming and going on a given network interface must pass through the Netmap pipe. Suricata inline-mode controls the "door" in this pipe. Each packet stream coming from the NIC (or going to the NIC) is inspected by Suricata and a "pass" or "drop" decision is made. If a packet is dropped, it is never forwarded on to the pfSense kernel and thus never makes it to the pf engine. Since every single packet must traverse this Netmap pipe, there is no leakage. No copies of the packets are made for examination. Everything occurs with the original packet.
The downside of the new inline mode is that for now only some NIC drivers support working with the Netmap API mechanism. So while legacy mode is pretty much NIC card and driver agnostic (meaning it works with any hardware), the inline mode is highly dependent on your firewall having a NIC driver that supports Netmap. Another problem that currently exists is the Netmap pipe seems to break traffic shaping on the interface. I suspect this is a fixable problem, but no solution is in place yet.
So consider these two issues before choosing to use the inline IPS mode: (1) do I have a supported NIC and driver; and (2) can I do without traffic shaping on interfaces where I run Suricata?
Inline mode is quite a bit different than Legacy Mode. Inline mode has no concept of a "block list". There is no interaction with the firewall part of pfSense at all. With inline mode, when a packet triggers an alert it is just dropped. This means it never makes it to the firewall or anywhere else in pfSense. It is just dropped on the floor on its way out of the NIC to the rest of pfSense. Netmap is used to provide this interface. It hooks itself between the NIC driver and the rest of the system. That's why Inline Mode only works with a handful of NICs. The driver has to support and be able to talk with the Netmap layer. When using Inline mode, the BLOCKED tab is not used at all. Dropped IP addresses are highlighted in red on the ALERTS tab.
Legacy Mode uses the pfSense firewall engine for blocking. It uses a system call to place the offending IP address into a special built-in pf table in pfSense called snort2c. Any IP address put into this table has its traffic blocked (all ports on that IP). The table blocks the IP and thus all ports associated with it. IP addresses live in that snort2c table for the time period specified in the GUI for auto-clearing blocked hosts. The snort2c table exists only in RAM, so if the firewall is rebooted all the IPs are lost and the blocking starts again from scratch. It is not persistent, and there really is no need. If the malicious traffic starts up again, it will trigger the rule again and get blocked again. There is no benefit to saving thousands of blocked IPs for months in the snort2c table. When you look at the BLOCKED tab in Legacy Mode, what actually happens is the contents of the snort2c table are read from RAM and displayed on that tab.
werter, да спасибо за информацию, тем кто не знает что это такое будет интересно почитать, я это всё и так уже прочитал…, теперь вот пытаюсь узнать какие сетевые всё же с этим NetMap-ом работают..., а то у меня 4 разных типа карт было и не одна не запустилась в Inline режиме... :'(
werter last edited by
Узнавайте chipset, на к-ом построена карта.
Какие работают - https://www.freebsd.org/cgi/man.cgi?query=netmap&sektion=4
Как я раньше писал у меня интеловская I350-T4, драйверы IGB, однопортовая интловская (надо в корпус лезть, но довольно старенькая) EM, и несколько разных RE-шных карт на реалтовских чипсетах.