VPP snort插件

环境：

$ cat /etc/issue
Ubuntu 20.04.3 LTS \n \l

VPP编译之前需要先安装daq库，下载libdaq-3.0.5源码，进行编译安装。之后下载vpp代码，编译之后，生成两个需要的so共享库: libdaq_vpp.so和snort_plugin.so。将libdaq_vpp.so.22.02拷贝到目录/home/test目录下。

# cd ~/work/vpp/build-root/install-vpp_debug-native/vpp/lib/x86_64-linux-gnu/daq
# ls -l
total 40
lrwxrwxrwx 1 root root    19 12月 31 09:19 libdaq_vpp.so -> libdaq_vpp.so.22.02
-rw-r--r-- 1 root root 39488 12月 31 09:18 libdaq_vpp.so.22.02
#
# cp libdaq_vpp.so.22.02 /home/test/libdaq_vpp.so
#
#
# cd ~/work/vpp/build-root/install-vpp_debug-native/vpp/lib/x86_64-linux-gnu/vpp_plugins
# ls -l
total 92456
-rw-r--r-- 1 root root   556608 12月 31 09:19 snort_plugin.so

VPP插件snort配置

确定snort插件已经加载。

# show logging
...
2021/12/31 09:30:34:108 notice     plugin/load    Loaded plugin: snort_plugin.so (Snort)

创建实例，名称为ids-engine，之后需要用到。

# snort create-instance name ids-engine queue-size 64 on-disconnect pass
#
# show snort instances
ids-engine [idx:0 sz:4096 fd:26]

关联实例与接口。

# snort attach instance ids-engine interface port8
#
# show snort interfaces
interface       snort instance
port8:  ids-engine

默认为中断模式，也可设置为轮询模式polling。

# snort mode interrupt
#
# show snort mode
input mode: interrupt

当前还没有客户端。

# show snort clients
number of clients: 0

使能port8接口。

# set interface state port8 up

snort实例可关联多个接口，如下：

# snort attach instance ids-engine interface port7
#
# show snort interfaces
interface       snort instance
port7:  ids-engine
port8:  ids-engine

SNORT客户端

以下使用libdaq-3.0.5源码中的测试程序，作为snort插件的客户端。选项-d用于指定使用的daq库，只需要填写vpp，不需要完整的文件名（libdaq_vpp.so）。选项-i指定实例名称，即以上创建的ids-engine。选项-m指定daq库的查找目录。

另外，测试程序daqtest需要以root用户运行。

# cd libdaq-3.0.5/example
#
# ./daqtest -d vpp -i ids-engine -C input_mode=interrupt -m "/home/test"
[Config]
  Input: ids-engine
  Snaplen: 1518
  Timeout: 0ms (Allowance: Unlimited)
  Module Stack:
    0: [vpp]
      Mode: passive
      Variables:
        input_mode=interrupt
  Packet Count: Unlimited
  Batch Size: 16
  Default Verdict: pass
  Ping Action: Pass
Local MAC Address: 5a:9f:de:53:e0:85
module-name: (vpp)
Snaplen: -1
Message Pool Info:
  Size: 256
  Available: 128
  Memory Usage: 0

Packet 1: Size = 239/239, Ingress = 0 (Group = -1), Egress = 0 (Group = -1), Addr Space ID = 2
 IP: 192.168.1.30 -> 192.168.1.255 (239 bytes) (checksum: 41717) (protocol: 17)
  UDP: 138 -> 138  Checksum 4527  (219 bytes of data)

...

Packet 98: Size = 78/78, Ingress = 0 (Group = -1), Egress = 0 (Group = -1), Addr Space ID = 2
 IP: 192.168.12.93 -> 192.168.12.255 (78 bytes) (checksum: 55) (protocol: 17)
  UDP: 137 -> 137  Checksum 27506  (58 bytes of data)

DAQ receive timed out 8 times.
Maximum messages received in a burst: 4

*Receive Status Counters*
  Ok: 61
  Timeout: 8

Average number of packets received per receive call: 0.00

*DAQ Module Statistics*
  Hardware Packets Received:  0
  Hardware Packets Dropped:   0
  Packets Received:   0
  Packets Filtered:   0
  Packets Passed:     0
  Packets Replaced:   0
  Packets Blocked:    0
  Packets Injected:   0
  Flows Whitelisted:  0
  Flows Blacklisted:  0
  Flows Ignored:      0

以上显示分为三个部分：配置参数显示；接收到的报文信息；以及统计信息（CTL+C之后显示）。在接收报文过程中，查看snort客户端数量：

# vppctl show snort clients
number of clients: 1

SNORT节点

snort数据平面包括snort-enq和snort-deq两个节点，其中snort-enq类型为internal内部，比如其节点关系有：ip4-input -> snort-enq -> ip4-sv-reassembly-feature。节点snort-deq为入口input类型节点，其下一个节点有error-drop和ip4-lookup等选择。

# show node snort-enq
node snort-enq, type internal, state active, index 54

  next nodes:
    next-index  node-index               Node               Vectors
         0          670               error-drop               0   
         1          595             ip4-not-enabled            0   
         2          609               ip4-lookup             14463 

  known previous nodes:
    ip4-mpls-label-disposition-uniform ip4-mpls-label-disposition-pipe (36ip4-input-no-checksum (592)        
    ip4-input (593)                    
# 
# 
# show node snort-deq
node snort-deq, type input, state interrupt wait, index 53, sibling-of snort-enq

  next nodes:
    next-index  node-index               Node               Vectors
         0          670               error-drop               0   
         1          595             ip4-not-enabled            0   
         2          609               ip4-lookup               0