Fixed
Created: Jul 23, 2023
Updated: Aug 22, 2023
Resolved Date: Aug 22, 2023
Found In Version: 10.22.33.10
Fix Version: 10.22.33.12
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Userspace
$ setup.sh --machine xilinx-zynqmp --distro wrlinux --dl-layers --all-layers --templates feature/ips
$ bitbake wrlinux-image-core
On target:
root@xilinx-zynqmp:~# snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v3): live inline multi unpriv
dump(v3): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv
In order to support host IPS mode (IPS running on device, and prevent malicious actions on device itself), snort need to work in NFQ mode (with NFQ DAQ), but currently support of NFQ DAQ is missing.
*the setup line:*
# ./wrlinux-x/setup.sh --machine xilinx-zynqmp --distro wrlinux --dl-layers --all-layers --templates feature/ips
other configurations that you change through local.conf:
only commented out "BB_NO_NETWORK ?= '1'" from conf/local.conf
*bitbake command being used:*
# bitbake wrlinux-image-core
*commands run on target:*
root@xilinx-zynqmp:~# snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v3): live inline multi unpriv
dump(v3): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv
also attach the salesforce ticket if this is a customer issue.:
no salesforce ticket
*background of this ticket:*
customer is asking if snort package could be used for their usecase,
which they want a IPS solution running on device, to prevent malicious actions on device itself
because following link
[https://docs.windriver.com/bundle/srh1658504253788_tki1589820771450/page/bws1498766404779.html]
mentions
Adds an Intrusion Prevention System (IPS) to your platform project image. IPS is also known as an Intrusion Detection and Prevention System (IDPS). This functionality monitors network or system activities for malicious actions.
The feature/ips template adds snort to support IPS functionality.
but to my understanding in order to work as host IPS, snort need to work in inline NFQ mode,
which needs support of NFQ DAQ,
but currently snort package in LTS22 couldn't work in this mode, due to missing of NFQ DAQ
(snort package in LTS22 could work in inline afpacket mode, makes it to act as a network server IPS, protects devices under its network)
*purpose of this ticket:*
1. check whether my understanding is correct, that snort package in LTS22 couldn't work in host IPS mode,
to prevent malicious actions on device itself
2. if #1 is true, then is missing support of NFQ DAQ a bug? since [https://docs.windriver.com/bundle/srh1658504253788_tki1589820771450/page/bws1498766404779.html]
mentions snort could act as a IPS.
