0

I am not a network guru so please bear with me. I am running snort on a PLC (running rt-linux) along with an application that needs to communicate with another instance of the same application residing on another PLC, via multicast. I have configured multicast on both PLCs by route add -net 224.0.0.0 netmask 240.0.0.0 dev eth0 command. Also, I am instantiating snort from within my application in a child process. The snort in running in intrusion detection mode.

The problem is that as soon as snort gets started from my application, the PLC starts sending so many packets that it completely overwhelms the network. I ran wireshark from my host machine (connected to PLCs via switch) and found out that these were IGMPv2 membership report group packets. The packets originate from the PLC that is running snort. After I stop snort, everything goes back to normal and it reports approx. 2k packets per second.

Do I have a multicast configuration problem or something wrong with snort configuration?

Any help would be appreciated.

awatan
  • 101
  • 4
  • Multicast is not routed the same way unicast is routed. There is a whole ecosystem needed to route multicast (IGMP, PIM, etc.). – Ron Maupin Nov 21 '18 at 05:24
  • What's the purpose for doing this? – joeqwerty Nov 21 '18 at 05:41
  • @RonMaupin It works for simple message passing between my application instances. I have no clue how to stop these membership report group packets as networks is not my field. – awatan Nov 21 '18 at 05:44
  • See [this answer](https://serverfault.com/a/814296/324849) for an explanation of IGMP. – Ron Maupin Nov 21 '18 at 05:51
  • You seem to be misusing multicast, and you really need to understand it before using it. Multicast addresses are destination addresses to which you send to reach a subset of the hosts on a network. Like broadcast, multicast is normally confined to a single network, but there is a way to route multicast traffic, although it is very different than unicast routing, and it involves several protocols designed to keep multicast packet from going where they are not wanted, otherwise multicast would go everywhere. – Ron Maupin Nov 21 '18 at 05:58
  • Hosts wishing to receive traffic destined to a particular multicast group will send IGMP join messages to a multicast router to request that the multicast router start sending traffic for that multicast group to the network on which the host is connected. The multicast router will periodically ask on the network if there are any hosts still interested in receiving the traffic destined to the multicast group. Multicast addresses should not be used as source addresses. – Ron Maupin Nov 21 '18 at 06:08
  • Thanks. I get a fair idea now that how multicast is different than unicast. but when I run my application instances on two PLCs without snort, everything works normal but as soon as I start snort, a flurry of IGMP packets start to flood the LAN which is where I start having problems. – awatan Nov 21 '18 at 06:24
  • Why are you running snort in the first place? – joeqwerty Nov 21 '18 at 07:04
  • @joeqwerty for detecting attacks. – awatan Nov 21 '18 at 07:50

0 Answers0