User Tools

Site Tools


multi-snortnotes

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

multi-snortnotes [2013/01/27 21:29] (current)
Line 1: Line 1:
 +====== Adventures in Multi-Snort ======
 +%ICON{"​tip"​}% ​ Most of the commands will require root.  Run ''​sudo su -''​ to keep from having to add sudo to everything.
  
 +
 +===== Install NIC Driver =====
 +|**Driver** |**Hardware** |**More Info** |
 +| e1000 | Supports Legacy Intel (PCI, PCI-X**) Gigabit Network Connections. | [[http://​www.intel.com/​support/​network/​adapter/​pro100/​sb/​CS-032516.htm?​wapkw''​e1000|More]] |
 +| e1000e | Supports Intel PCI Express** Gigabit Network Connections except the 82575, 82576, 82580, and I350.| [[http://​www.intel.com/​support/​network/​sb/​CS-032514.htm|More]] |
 +| TNAPI | 1 Gbit: Intel 82575/76/80 (Linux driver igb 3.1.x) / 10 Gbit: Intel 82598/82599 (Linux driver ixgbe 3.3.9) | [[http://​www.ntop.org/​products/​pf_ring/​tnapi/​|More]] |
 +
 +To view what driver you're using, use the**lshw** command. ​ Look at the**configuration** line for**driver**
 +
 +''​lshw -class network''​
 +
 +You can also install and use ethtool for more info on your adapter
 +
 +''​apt-get install ethtool''​ <br />
 +''​ethtool eth0''​
 +
 +Download the current version of PF_RING<​br />
 +[[http://​sourceforge.net/​projects/​ntop/​files/​PF_RING/​|http://​sourceforge.net/​projects/​ntop/​files/​PF_RING/​]]
 +
 +Install the driver (browse to the proper directory for the desired driver under**PF_RING_aware**).
 +<​file>​
 +tar xvfz PF_RING-5.4.1.tar.gz
 +cd PF_RING-5.4.1/​drivers/​PF_RING_aware/​intel/​e1000/​e1000-8.0.35/​src/​
 +make clean
 +make
 +make install
 +</​file>​
 +
 +===== Setting up PF_RING =====
 +Adjust**vmalloc** variable so snort can load pfring.
 +  * Edit**/​etc/​default/​grub**
 +  * Change the following line:<br /> ''​GRUB_CMDLINE_LINUX_DEFAULT&#​61;"​quiet splash"''​
 +  * To:<br /> ''​GRUB_CMDLINE_LINUX_DEFAULT&#​61;"​quiet splash vmalloc&#​61;​256m"''​
 +
 +''​update-grub''​
 +
 +This will require a reboot before you try to run Snort with pfring. ​ You can do it now or after installing pfring aware drivers.
 +
 +Install subversion, autoconf, and libtool
 +
 +''​apt-get install subversion autoconf libtool''​
 +
 +Download the current version of PF_RING<​br />
 +[[http://​sourceforge.net/​projects/​ntop/​files/​PF_RING/​|http://​sourceforge.net/​projects/​ntop/​files/​PF_RING/​]]
 +
 +<​file>​
 +tar xvfz PF_RING-5.4.1.tar.gz
 +cd  PF_RING-5.4.1
 +make clean
 +cd kernel
 +make clean
 +make
 +make install
 +cd ../​userland/​lib
 +export LD_LIBRARY_PATH''​$LD_LIBRARY_PATH:/​usr/​local/​lib
 +export LIBS'''​-L/​usr/​local/​lib'​
 +./configure
 +make clean
 +make
 +make install
 +cd ../libpcap
 +export LIBS'''​-L/​usr/​local/​lib -lpfring -lpthread'​
 +./configure
 +make clean
 +make
 +make install
 +make clean && make && make install-shared
 +ln -s /​usr/​local/​lib/​libpfring.so /​usr/​lib/​libpfring.so
 +</​file>​
 +
 +To check the status of PF_RING, run:<br />
 +''​modinfo pf_ring && cat /​proc/​net/​pf_ring/​info''​
 +
 +If using as a passive IDS with e1000(e) driver:
 +<​file>​
 +rmmod pf_ring.ko
 +insmod pf_ring.ko enable_tx_capture''​0 transparent_mode''​1 min_num_slots''​16384
 +</​file>​
 +
 +===== Setting up DAQ =====
 +Download the current version of DAQ<br />
 +[[http://​www.snort.org/​snort-downloads/​|http://​www.snort.org/​snort-downloads/​]]
 +
 +<​file>​
 +tar xvfz daq-0.6.2.tar.gz
 +cd daq-0.6.2
 +chmod 755 configure
 +export LD_LIBRARY_PATH''​$LD_LIBRARY_PATH:/​usr/​local/​lib
 +export LIBS''"​-L/​usr/​local/​lib -lpcap -lpthread"​
 +./configure --disable-nfq-module --disable-ipq-module \
 +--with-libpcap-includes''/​usr/​local/​include \
 +--with-libpcap-libraries''/​usr/​local/​lib \
 +--with-libpfring-includes''/​usr/​local/​include/​ \
 +--with-libpfring-libraries''/​usr/​local/​lib
 +make clean && make && make install
 +</​file>​
 +
 +===== Build the DAQ Interface Module =====
 +Go back to the PF_RING directory and build the daq interface module.
 +<​file>​
 +cd  PF_RING-5.4.1/​userland/​snort/​pfring-daq-module
 +autoreconf -ivf
 +export LD_LIBRARY_PATH''​$LD_LIBRARY_PATH:/​usr/​local/​lib
 +export LIBS'''​-L/​usr/​local/​lib -lpcap -lpfring -lpthread'​
 +./configure
 +make && make install
 +</​file>​
 +
 +===== Setting up Snort =====
 +Download the current version of Snort<br />
 +[[http://​www.snort.org/​snort-downloads/​|http://​www.snort.org/​snort-downloads/​]]
 +
 +Compile and install (You can adjust some of the '​enable'​ options as per environment)
 +<​file>​
 +tar xvfz snort-2.9.2.3.tar.gz
 +cd snort-2.9.2.3
 +make clean
 +export LD_LIBRARY_PATH''​$LD_LIBRARY_PATH:/​usr/​local/​lib
 +export LIBS'''​-L/​usr/​local/​lib -lpcap -lpfring -lpthread'​
 +./configure --with-libpcap-includes''/​usr/​local/​includes \
 +--with-libpcap-libraries''/​usr/​local/​lib \
 +--with-libpfring-includes''/​usr/​local/​include/​ \
 +--with-libpfring-libraries''/​usr/​local/​lib \
 +--enable-zlib --enable-perfprofiling --enable-ipv6 \
 +--enable-gre --enable-mpls --enable-normalizer \
 +--enable-targetbased --enable-decoder-preprocessor-rules \
 + ​--enable-reload
 +make
 +make install
 +</​file>​
 +
 +Verify Snort can use the PF_RING DAQ module
 +<​file>​
 +snort --daq-dir''/​usr/​local/​lib/​daq --daq-list
 +</​file>​
 +You should see something similar to this:
 +<​file>​
 +Available DAQ modules:
 +pfring(v1): live inline multi unpriv
 +pcap(v3): readback live multi unpriv
 +ipfw(v2): live inline multi unpriv
 +dump(v1): readback live inline multi unpriv
 +afpacket(v4):​ live inline multi unpriv
 +</​file>​
 +Make sure you have the**pfring** line.
 +
 +===== Run Snort =====
 +Here is an example of Snort running on 4 cores (2 per interface) in passive mode using pfring.
 +<​file>​
 +/​usr/​local/​bin/​snort -c /​etc/​snort/​snort.conf -i eth2 --pid-path /​var/​run/​log0 --daq-dir''/​usr/​local/​lib/​daq --daq pfring --daq-mode passive --daq-var clusterid''​16 --daq-var bindcpu''​0 -l /​var/​log/​snort/​log0 -D
 +/​usr/​local/​bin/​snort -c /​etc/​snort/​snort.conf -i eth3 --pid-path /​var/​run/​log1 --daq-dir''/​usr/​local/​lib/​daq --daq pfring --daq-mode passive --daq-var clusterid''​16 --daq-var bindcpu''​1 -l /​var/​log/​snort/​log1 -D
 +/​usr/​local/​bin/​snort -c /​etc/​snort/​snort.conf -i eth2 --pid-path /​var/​run/​log2 --daq-dir''/​usr/​local/​lib/​daq --daq pfring --daq-mode passive --daq-var clusterid''​16 --daq-var bindcpu''​2 -l /​var/​log/​snort/​log2 -D
 +/​usr/​local/​bin/​snort -c /​etc/​snort/​snort.conf -i eth3 --pid-path /​var/​run/​log3 --daq-dir''/​usr/​local/​lib/​daq --daq pfring --daq-mode passive --daq-var clusterid''​16 --daq-var bindcpu''​3 -l /​var/​log/​snort/​log3 -D
 +</​file>​
 +
 +===== Setting up Etherchannel on Cisco =====
 +This is a basic example of setting up a Layer 2 Etherchannel port on a Cisco device.
 +
 +On the chassis after logging and enabling:
 +<​file>​
 +configure terminal
 +interface gigabitethernet1/​1
 +no ip address
 +channel-group 19 mode on
 +exit
 +interface gigabitethernet1/​2
 +no ip address
 +channel-group 19 mode on
 +exit
 +...
 +etc.
 +...
 +interface Port-channel19
 +no shutdown
 +exit
 +end
 +</​file>​
 +Here is how to set it as a SPAN session destination
 +<​file>​
 +monitor session 1 source tengigabitethernet2/​1 both
 +monitor session 1 destination interface port-channel 19
 +</​file>​
 +
 +===== References =====
 +  * [[http://​www.metaflows.com/​technology/​pf-ring/​|http://​www.metaflows.com/​technology/​pf-ring/​]]
 +  * [[http://​www.openinfosecfoundation.org/​doc/​INSTALL.PF_RING.txt|http://​www.openinfosecfoundation.org/​doc/​INSTALL.PF_RING.txt]]
 +  * [[http://​www.ntop.org/​pf_ring/​using-pf_ring-with-snort-and-suricata-for-idsips-acceleration/​|http://​www.ntop.org/​pf_ring/​using-pf_ring-with-snort-and-suricata-for-idsips-acceleration/​]]
 +  * [[https://​svn.ntop.org/​svn/​ntop/​trunk/​PF_RING/​drivers/​|https://​svn.ntop.org/​svn/​ntop/​trunk/​PF_RING/​drivers/​]]
 +  * [[https://​svn.ntop.org/​svn/​ntop/​trunk/​PF_RING/​userland/​snort/​pfring-daq-module/​README.1st|https://​svn.ntop.org/​svn/​ntop/​trunk/​PF_RING/​userland/​snort/​pfring-daq-module/​README.1st]]
 +  * [[http://​www.cisco.com/​en/​US/​docs/​switches/​lan/​catalyst6500/​ios/​12.2SX/​configuration/​guide/​channel.html|http://​www.cisco.com/​en/​US/​docs/​switches/​lan/​catalyst6500/​ios/​12.2SX/​configuration/​guide/​channel.html]]
 +  * [[http://​www.cisco.com/​en/​US/​docs/​routers/​7600/​ios/​15S/​configuration/​guide/​span.html|http://​www.cisco.com/​en/​US/​docs/​routers/​7600/​ios/​15S/​configuration/​guide/​span.html]]
 +  * [[http://​www.cisco.com/​en/​US/​docs/​switches/​lan/​catalyst6500/​ios/​12.2SX/​configuration/​guide/​span.html|http://​www.cisco.com/​en/​US/​docs/​switches/​lan/​catalyst6500/​ios/​12.2SX/​configuration/​guide/​span.html]]
 +
 +
 +-- Main.FredPettis - 2012-03-17
multi-snortnotes.txt ยท Last modified: 2013/01/27 21:29 (external edit)