Setup: ask user for MTU of sniffing interface(s) and allow VLAN tags

[dougburks]

Background:
https://github.com/Security-Onion-Solutions/security-onion/wiki/VLAN-Traffic
https://groups.google.com/d/topic/security-onion/94s7beFDMU0/discussion
https://groups.google.com/d/topic/security-onion/1sDHn0AwDXc/discussion

Setup should ask user for the MTU of their sniffing interface(s). Default value should be 1500.

sosetup-network should write the MTU into /etc/network/interfaces. Per the VLAN article above, we should add 2 to the user's MTU so that when Suricata adds 16, we get a total of 18 for the header which will allow for VLAN tags.

sosetup should configure snort.conf with correct snaplen to handle VLAN tags automatically.

sosetup.conf needs to be updated to include this new variable.

Example:
Setup prompts user for MTU of sniffing interface eth1 and defaults to 1500.
User accepts default.
sosetup-network writes "mtu 1502" into /etc/network/interfaces.
sosetup should write "config snaplen: 1518" into snort.conf.

[weslambert]

Would there be any case, (other than when the user specifies otherwise) that the MTU should equal anything other than "1502" in /etc/network/interfaces?

Also, would a default of "config snaplen: 1518" in snort.conf affect operation if a user was not using VLAN tagging?

If these assumptions are correct, I imagine sosetup-network, sosetup should be modified similar to the attached diff(?).

Or, do you think the user should be given the option to specify a custom configuration for Snort's snaplen as well?

Thanks,
Wes

diff.txt

[dougburks]

Would there be any case, (other than when the user specifies otherwise) that the MTU should equal anything other than "1502" in /etc/network/interfaces?

I don't believe so.

Also, would a default of "config snaplen: 1518" in snort.conf affect operation if a user was not using VLAN tagging?

It will waste a small amount of resources but I think it should be negligible.

If these assumptions are correct, I imagine sosetup-network, sosetup should be modified similar to the attached diff(?).

Yes, very close to what I had in mind. Some recommendations:

• Since Suricata takes the MTU of the sniffing interface and adds 16, perhaps we should make Snort behave similarly for consistency. So sosetup would check the MTU of the sniffing interface, add 16, and then set that value in snort.conf.
• I'm thinking the question in sosetup-network should be something like:
  What is the default MTU of your network? Most networks use a default MTU of 1500 so that is the default here. Please note that Snort and Suricata will add 16 to whatever value you set here and use the resulting value for snaplen to allow for VLAN tagged traffic.

Thoughts?

Thanks, Wes!

[weslambert]

I think, I may have misunderstood.

So, to be clear, is/are Suricata/Snort only adding 16 to get to 1518, or are they to add 16 regardless of what the MTU is?

Thanks,
Wes

[dougburks]

If I remember correctly from the testing I did in the links above, Suricata was adding 16 to the MTU of the sniffing interface, regardless of what that MTU was (14 would be for standard ethernet header, not exactly sure what the other 2 bytes were intended for). Should probably test again to make sure this is still the case. I'm almost tempted to recommend rounding MTU up to a higher number like 1550 to make sure it's large enough to account for Q-in-Q, MPLS, etc.

[weslambert]

I just tested with an MTU of 1518 in /etc/network/interfaces, running sosetup and configuring Suricata, and PF_RING showed (after running grep -A20 "Suricata" /proc/net/pf_ring/eth |grep "Bucket Len") a Bucket Len of 1534 (+16). Continuing, I specified a value of 1550 in /etc/network/interfaces... Suricata would increase the Bucket Len to 1566 (+16). Also tried with MTU set to 1504 in /etc/network/interfaces and ended up with a Bucket Len of 1520 (+16). It appears the addition of 16 to the MTU defined in /etc/network/interfaces is consistent.

I couldn't imagine a minimum of 1550 would be much more taxing than that of 1518--less so than jumbo frames, I assume :)

So, from here on, do you think it would be best to set the minimum/default in /etc/network/interfaces to 1550? From there Suricata would add 16 (to 1566), and Snort would match the 1566 (from /etc/network/interfaces/ MTU (1550) +16 ) in snort.conf?

Thanks,
Wes

[dougburks]

Yep, let's try it and see how it goes. Thanks, Wes!

[weslambert]

Security-Onion-Solutions/securityonion-setup#15

[dougburks]

submitted for testing:
https://groups.google.com/d/topic/security-onion-testing/bN-9Pgb19w8/discussion

[dougburks]

published:
http://blog.securityonion.net/2016/07/securityonion-setup-20120912.html