Thursday, August 12, 2010

Snort 2.9 Essentials: The DAQ

The recently released Snort 2.9 Beta introduces the Data AcQuisition library (DAQ), for packet I/O. The DAQ replaces direct calls into packet capture libraries like PCAP with an abstraction layer that make it easy to add additional software or hardware packet capture implementations. DAQ 0.1 supports PCAP, AFPACKET, NFQ, IPQ, IPFW, and DUMP which is used for testing.

So why the change? The DAQ is essentially an abstraction layer and a suite of pluggable modules that can be selected at run-time. This makes switching from passive to inline mode easy, and not require a recompile of the snort core. Additionally, it adds AFPACKET support which makes it really easy to stand-up an inline sensor without mucking around with iptables, setting up queues, and other administrative tasks. Finally, the DAQ is modular and easy to work with, if there is some special network capture card you need to support adding a module for it is relatively straight forward.

USAGE : Building the DAQ Library and DAQ Modules
  • Download the DAQ from snort.org it is called daq-0.1.tar.gz
  • Unpack it tar -xvzf ./daq-0.1.tar.gz

Meet the following minimum requirements:
  • PCAP ≥ 1.0.0. PCAP 1.1.1 is available at the time of this writing and is recommended.
  • libdnet is required for IPQ and NFQ DAQs. If you run into any errors, check the DAQ distro README for tricks I used.
  • libnet is no longer required. Gone Gone Gone, and there was much rejoicing.
./configure ; make ; sudo make install
When the DAQ library is built, both static and dynamic module flavors will be generated more on "why" later. If you need to tweak certain options see configure for help, run:
./configure --help

Building Snort
Snort now needs to know where DAQ is installed on the system. If you installed it somewhere other than its default location, you'll need to add some extra switches to configure, for snort to build. If you didn't you can ignore the below, snort's configure should just find the DAQ library and build.
./configure --with-daq-includes=<inc dir>--with-daq-libraries=<lib dir>
If you install the daq-modules in a non standard place make sure your path is updated with the daq-modules location. Snort's ./configure requires running bin/daq-modules-config. This step isn't necessary if daq is installed in the default location. However ldconfig or other system specific commands may or may not need to be run.
PATH=/daq/install/prefix:$PATH
By default, snort will be built with a few static DAQ modules including PCAP, AFPACKET, and DUMP.

Once Snort is built.
To see Snort's available DAQs, run this:
snort [--daq-dir <dir>] --daq-list
The above command searches the specified directory (eg /usr/local/lib/daq) for DAQ modules and prints type, version, and attributes of each. If you just want to see the built-in modules, leave off the --daq-dir.

Output should look something like the following:
Available DAQ modules:
pcap(v2): readback live multi 
unprivnfq(v1): live inline 
multiipq(v1): live inline 
multiipfw(v1): live inline multi 
unprivdump(v1): readback live inline multi 
unprivafpacket(v1): live inline multi unpriv
You can see that 6 DAQs are available, that pcap doesn't support inline mode, that nfq and ipq don't support unprivileged operation, etc.

Configuring Snort
If everything went as planned, snort is now built with DAQ. By default Snort uses the PCAP module for reading files and for sniffing interfaces, so if that is all you do with snort you can stop reading, as it should just work.

However, if you run inline with snort keep reading as there are some new command lines switches and some new usage options.

Here is the full set of DAQ related command line and config file options:
snort [--daq <type>] [--daq-mode <mode>] 
[--daq-dir <dir>] [--daq-var <var>]
config daq: <type>
config daq_mode: <mode>
config daq_dir: <dir>
config daq_var: <var><type> 
::= pcap  afpacket  dump  nfq  ipq  ipfw<mode> 
::= read-file  passive  inline<dir> 
::= path where to look for DAQ module so's<var> 
::= arbitrary <name>=<value> passed to DAQ
Caveats:
  • If daq-mode is not set explicitly, -Q will force it to inline;
  • If daq-mode is not set explicitly, -r will force it to read-file;
  • The defaults daq-mode is passive.
  • Running -Q and --daq-mode inline are allowed, but -Q and any other DAQ mode will cause a fatal error at start-up.

USAGE
The following examples assume you have 3 Ethernet interfaces with management on eth0 and that you intend to pass traffic through your sensor between eth1 and eth2.

Using the PCAP DAQ
PCAP is the default DAQ. If snort is run w/o any DAQ arguments, it will operate as it always did using this module. This is common usage of snort, passive sniffing of an interface or reading back pcap files.

To do this you can use any of the following as they are all equivalent:
snort -i <device>
snort -r <file>
snort --daq pcap --daq-mode passive -i <device>
snort --daq pcap --daq-mode read-file -r <file>
You can also specify the buffer size PCAP if you need to, using:
snort --daq pcap --daq-var buffer_size=<#bytes>
  • NOTE - The PCAP DAQ does not count filtered packets.

Using the AFPACKET DAQ
AFPACKET is the easiest way to setup an inline sensor, additionally it has better performance than the standard PCAP interfaces.

To use AFPACKET in passive mode:
snort --daq afpacket -i <device> 
[--daq-var buffer_size_mb=<#MB>] 
[--daq-var debug]
If you want to run AFPACKET in inline mode, you must set device to one or more interface pairs, where each member of a pair is separated by a single colon and each pair is separated by a double colon. There is not need to configure a QUEUE or Bridge with AFPACKET you need to up the interfaces and give snort the correct command line.

Syntax for inline pairs
eth0:eth1
eth0:eth1::eth2:eth3
Running inline Snort
ifconfig eth1 promisc up
ifconfig eth2 promisc up
snort --daq afpacket -i eth1:eth2 -Q -c snort.conf
  • By default, the AFPACKET DAQ allocates 128MB for packet memory. You can change the allocation using the buffer_size_mb daq-var. See README.daq for the gory details of that calculation.

Closing
Hopefully that is enough to get you going. See the DAQ distro README as well as Snort's README.daq for more information.

We have already received some positive feedback as well as some pointers on what needs fixing in the beta. Keep the feedback coming and we'll ensure a solid 2.9.0 rollout. Send bugs / features / etc to "bugs <at> snort.org" or join the Snort-Devel and Snort-Users mailing lists and post your thoughts there.
Add to Technorati Favorites Digg! This

3 comments:

Thành Văn Võ said...

How can I build a DAQ library on Windows?

Thành Văn Võ said...

How can I build a DAQ library on Windows? I use Window 7.

Joel Esler said...

We make a Windows installer available from the downloads page on Snort.org.