====== Adventures in Multi-Snort ======
%ICON{"tip"}% Most of the commands will require root. Run ''sudo su -'' to keep from having to add sudo to everything.
===== Install NIC Driver =====
|**Driver** |**Hardware** |**More Info** |
| e1000 | Supports Legacy Intel (PCI, PCI-X**) Gigabit Network Connections. | [[http://www.intel.com/support/network/adapter/pro100/sb/CS-032516.htm?wapkw''e1000|More]] |
| e1000e | Supports Intel PCI Express** Gigabit Network Connections except the 82575, 82576, 82580, and I350.| [[http://www.intel.com/support/network/sb/CS-032514.htm|More]] |
| TNAPI | 1 Gbit: Intel 82575/76/80 (Linux driver igb 3.1.x) / 10 Gbit: Intel 82598/82599 (Linux driver ixgbe 3.3.9) | [[http://www.ntop.org/products/pf_ring/tnapi/|More]] |
To view what driver you're using, use the**lshw** command. Look at the**configuration** line for**driver**
''lshw -class network''
You can also install and use ethtool for more info on your adapter
''apt-get install ethtool''
''ethtool eth0''
Download the current version of PF_RING
[[http://sourceforge.net/projects/ntop/files/PF_RING/|http://sourceforge.net/projects/ntop/files/PF_RING/]]
Install the driver (browse to the proper directory for the desired driver under**PF_RING_aware**).
tar xvfz PF_RING-5.4.1.tar.gz
cd PF_RING-5.4.1/drivers/PF_RING_aware/intel/e1000/e1000-8.0.35/src/
make clean
make
make install
===== Setting up PF_RING =====
Adjust**vmalloc** variable so snort can load pfring.
* Edit**/etc/default/grub**
* Change the following line:
''GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"''
* To:
''GRUB_CMDLINE_LINUX_DEFAULT="quiet splash vmalloc=256m"''
''update-grub''
This will require a reboot before you try to run Snort with pfring. You can do it now or after installing pfring aware drivers.
Install subversion, autoconf, and libtool
''apt-get install subversion autoconf libtool''
Download the current version of PF_RING
[[http://sourceforge.net/projects/ntop/files/PF_RING/|http://sourceforge.net/projects/ntop/files/PF_RING/]]
tar xvfz PF_RING-5.4.1.tar.gz
cd PF_RING-5.4.1
make clean
cd kernel
make clean
make
make install
cd ../userland/lib
export LD_LIBRARY_PATH''$LD_LIBRARY_PATH:/usr/local/lib
export LIBS'''-L/usr/local/lib'
./configure
make clean
make
make install
cd ../libpcap
export LIBS'''-L/usr/local/lib -lpfring -lpthread'
./configure
make clean
make
make install
make clean && make && make install-shared
ln -s /usr/local/lib/libpfring.so /usr/lib/libpfring.so
To check the status of PF_RING, run:
''modinfo pf_ring && cat /proc/net/pf_ring/info''
If using as a passive IDS with e1000(e) driver:
rmmod pf_ring.ko
insmod pf_ring.ko enable_tx_capture''0 transparent_mode''1 min_num_slots''16384
===== Setting up DAQ =====
Download the current version of DAQ
[[http://www.snort.org/snort-downloads/|http://www.snort.org/snort-downloads/]]
tar xvfz daq-0.6.2.tar.gz
cd daq-0.6.2
chmod 755 configure
export LD_LIBRARY_PATH''$LD_LIBRARY_PATH:/usr/local/lib
export LIBS''"-L/usr/local/lib -lpcap -lpthread"
./configure --disable-nfq-module --disable-ipq-module \
--with-libpcap-includes''/usr/local/include \
--with-libpcap-libraries''/usr/local/lib \
--with-libpfring-includes''/usr/local/include/ \
--with-libpfring-libraries''/usr/local/lib
make clean && make && make install
===== Build the DAQ Interface Module =====
Go back to the PF_RING directory and build the daq interface module.
cd PF_RING-5.4.1/userland/snort/pfring-daq-module
autoreconf -ivf
export LD_LIBRARY_PATH''$LD_LIBRARY_PATH:/usr/local/lib
export LIBS'''-L/usr/local/lib -lpcap -lpfring -lpthread'
./configure
make && make install
===== Setting up Snort =====
Download the current version of Snort
[[http://www.snort.org/snort-downloads/|http://www.snort.org/snort-downloads/]]
Compile and install (You can adjust some of the 'enable' options as per environment)
tar xvfz snort-2.9.2.3.tar.gz
cd snort-2.9.2.3
make clean
export LD_LIBRARY_PATH''$LD_LIBRARY_PATH:/usr/local/lib
export LIBS'''-L/usr/local/lib -lpcap -lpfring -lpthread'
./configure --with-libpcap-includes''/usr/local/includes \
--with-libpcap-libraries''/usr/local/lib \
--with-libpfring-includes''/usr/local/include/ \
--with-libpfring-libraries''/usr/local/lib \
--enable-zlib --enable-perfprofiling --enable-ipv6 \
--enable-gre --enable-mpls --enable-normalizer \
--enable-targetbased --enable-decoder-preprocessor-rules \
--enable-reload
make
make install
Verify Snort can use the PF_RING DAQ module
snort --daq-dir''/usr/local/lib/daq --daq-list
You should see something similar to this:
Available DAQ modules:
pfring(v1): live inline multi unpriv
pcap(v3): readback live multi unpriv
ipfw(v2): live inline multi unpriv
dump(v1): readback live inline multi unpriv
afpacket(v4): live inline multi unpriv
Make sure you have the**pfring** line.
===== Run Snort =====
Here is an example of Snort running on 4 cores (2 per interface) in passive mode using pfring.
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth2 --pid-path /var/run/log0 --daq-dir''/usr/local/lib/daq --daq pfring --daq-mode passive --daq-var clusterid''16 --daq-var bindcpu''0 -l /var/log/snort/log0 -D
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth3 --pid-path /var/run/log1 --daq-dir''/usr/local/lib/daq --daq pfring --daq-mode passive --daq-var clusterid''16 --daq-var bindcpu''1 -l /var/log/snort/log1 -D
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth2 --pid-path /var/run/log2 --daq-dir''/usr/local/lib/daq --daq pfring --daq-mode passive --daq-var clusterid''16 --daq-var bindcpu''2 -l /var/log/snort/log2 -D
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth3 --pid-path /var/run/log3 --daq-dir''/usr/local/lib/daq --daq pfring --daq-mode passive --daq-var clusterid''16 --daq-var bindcpu''3 -l /var/log/snort/log3 -D
===== Setting up Etherchannel on Cisco =====
This is a basic example of setting up a Layer 2 Etherchannel port on a Cisco device.
On the chassis after logging and enabling:
configure terminal
interface gigabitethernet1/1
no ip address
channel-group 19 mode on
exit
interface gigabitethernet1/2
no ip address
channel-group 19 mode on
exit
...
etc.
...
interface Port-channel19
no shutdown
exit
end
Here is how to set it as a SPAN session destination
monitor session 1 source tengigabitethernet2/1 both
monitor session 1 destination interface port-channel 19
===== References =====
* [[http://www.metaflows.com/technology/pf-ring/|http://www.metaflows.com/technology/pf-ring/]]
* [[http://www.openinfosecfoundation.org/doc/INSTALL.PF_RING.txt|http://www.openinfosecfoundation.org/doc/INSTALL.PF_RING.txt]]
* [[http://www.ntop.org/pf_ring/using-pf_ring-with-snort-and-suricata-for-idsips-acceleration/|http://www.ntop.org/pf_ring/using-pf_ring-with-snort-and-suricata-for-idsips-acceleration/]]
* [[https://svn.ntop.org/svn/ntop/trunk/PF_RING/drivers/|https://svn.ntop.org/svn/ntop/trunk/PF_RING/drivers/]]
* [[https://svn.ntop.org/svn/ntop/trunk/PF_RING/userland/snort/pfring-daq-module/README.1st|https://svn.ntop.org/svn/ntop/trunk/PF_RING/userland/snort/pfring-daq-module/README.1st]]
* [[http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/channel.html|http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/channel.html]]
* [[http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/span.html|http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/span.html]]
* [[http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/span.html|http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/span.html]]
-- Main.FredPettis - 2012-03-17