Adventures in Multi-Snort
%ICON{“tip”}% Most of the commands will require root. Run sudo su - to keep from having to add sudo to everything.
Install NIC Driver
| Driver | Hardware | More Info |
| e1000 | Supports Legacy Intel (PCI, PCI-X) Gigabit Network Connections. | More | | e1000e | Supports Intel PCI Express Gigabit Network Connections except the 82575, 82576, 82580, and I350. | More |
| TNAPI | 1 Gbit: Intel 82575/76/80 (Linux driver igb 3.1.x) / 10 Gbit: Intel 82598/82599 (Linux driver ixgbe 3.3.9) | More |
To view what driver you're using, use thelshw command. Look at theconfiguration line fordriver
lshw -class network
You can also install and use ethtool for more info on your adapter
apt-get install ethtool <br />
ethtool eth0
Download the current version of PF_RING<br /> http://sourceforge.net/projects/ntop/files/PF_RING/
Install the driver (browse to the proper directory for the desired driver underPF_RING_aware).
tar xvfz PF_RING-5.4.1.tar.gz cd PF_RING-5.4.1/drivers/PF_RING_aware/intel/e1000/e1000-8.0.35/src/ make clean make make install
Setting up PF_RING
Adjustvmalloc variable so snort can load pfring.
- Edit/etc/default/grub
- Change the following line:<br />
GRUB_CMDLINE_LINUX_DEFAULT=“quiet splash” - To:<br />
GRUB_CMDLINE_LINUX_DEFAULT=“quiet splash vmalloc=256m”
update-grub
This will require a reboot before you try to run Snort with pfring. You can do it now or after installing pfring aware drivers.
Install subversion, autoconf, and libtool
apt-get install subversion autoconf libtool
Download the current version of PF_RING<br /> http://sourceforge.net/projects/ntop/files/PF_RING/
tar xvfz PF_RING-5.4.1.tar.gz cd PF_RING-5.4.1 make clean cd kernel make clean make make install cd ../userland/lib export LD_LIBRARY_PATH''$LD_LIBRARY_PATH:/usr/local/lib export LIBS'''-L/usr/local/lib' ./configure make clean make make install cd ../libpcap export LIBS'''-L/usr/local/lib -lpfring -lpthread' ./configure make clean make make install make clean && make && make install-shared ln -s /usr/local/lib/libpfring.so /usr/lib/libpfring.so
To check the status of PF_RING, run:<br />
modinfo pf_ring && cat /proc/net/pf_ring/info
If using as a passive IDS with e1000(e) driver:
rmmod pf_ring.ko insmod pf_ring.ko enable_tx_capture''0 transparent_mode''1 min_num_slots''16384
Setting up DAQ
Download the current version of DAQ<br /> http://www.snort.org/snort-downloads/
tar xvfz daq-0.6.2.tar.gz cd daq-0.6.2 chmod 755 configure export LD_LIBRARY_PATH''$LD_LIBRARY_PATH:/usr/local/lib export LIBS''"-L/usr/local/lib -lpcap -lpthread" ./configure --disable-nfq-module --disable-ipq-module \ --with-libpcap-includes''/usr/local/include \ --with-libpcap-libraries''/usr/local/lib \ --with-libpfring-includes''/usr/local/include/ \ --with-libpfring-libraries''/usr/local/lib make clean && make && make install
Build the DAQ Interface Module
Go back to the PF_RING directory and build the daq interface module.
cd PF_RING-5.4.1/userland/snort/pfring-daq-module autoreconf -ivf export LD_LIBRARY_PATH''$LD_LIBRARY_PATH:/usr/local/lib export LIBS'''-L/usr/local/lib -lpcap -lpfring -lpthread' ./configure make && make install
Setting up Snort
Download the current version of Snort<br /> http://www.snort.org/snort-downloads/
Compile and install (You can adjust some of the 'enable' options as per environment)
tar xvfz snort-2.9.2.3.tar.gz cd snort-2.9.2.3 make clean export LD_LIBRARY_PATH''$LD_LIBRARY_PATH:/usr/local/lib export LIBS'''-L/usr/local/lib -lpcap -lpfring -lpthread' ./configure --with-libpcap-includes''/usr/local/includes \ --with-libpcap-libraries''/usr/local/lib \ --with-libpfring-includes''/usr/local/include/ \ --with-libpfring-libraries''/usr/local/lib \ --enable-zlib --enable-perfprofiling --enable-ipv6 \ --enable-gre --enable-mpls --enable-normalizer \ --enable-targetbased --enable-decoder-preprocessor-rules \ --enable-reload make make install
Verify Snort can use the PF_RING DAQ module
snort --daq-dir''/usr/local/lib/daq --daq-list
You should see something similar to this:
Available DAQ modules: pfring(v1): live inline multi unpriv pcap(v3): readback live multi unpriv ipfw(v2): live inline multi unpriv dump(v1): readback live inline multi unpriv afpacket(v4): live inline multi unpriv
Make sure you have thepfring line.
Run Snort
Here is an example of Snort running on 4 cores (2 per interface) in passive mode using pfring.
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth2 --pid-path /var/run/log0 --daq-dir''/usr/local/lib/daq --daq pfring --daq-mode passive --daq-var clusterid''16 --daq-var bindcpu''0 -l /var/log/snort/log0 -D /usr/local/bin/snort -c /etc/snort/snort.conf -i eth3 --pid-path /var/run/log1 --daq-dir''/usr/local/lib/daq --daq pfring --daq-mode passive --daq-var clusterid''16 --daq-var bindcpu''1 -l /var/log/snort/log1 -D /usr/local/bin/snort -c /etc/snort/snort.conf -i eth2 --pid-path /var/run/log2 --daq-dir''/usr/local/lib/daq --daq pfring --daq-mode passive --daq-var clusterid''16 --daq-var bindcpu''2 -l /var/log/snort/log2 -D /usr/local/bin/snort -c /etc/snort/snort.conf -i eth3 --pid-path /var/run/log3 --daq-dir''/usr/local/lib/daq --daq pfring --daq-mode passive --daq-var clusterid''16 --daq-var bindcpu''3 -l /var/log/snort/log3 -D
Setting up Etherchannel on Cisco
This is a basic example of setting up a Layer 2 Etherchannel port on a Cisco device.
On the chassis after logging and enabling:
configure terminal interface gigabitethernet1/1 no ip address channel-group 19 mode on exit interface gigabitethernet1/2 no ip address channel-group 19 mode on exit ... etc. ... interface Port-channel19 no shutdown exit end
Here is how to set it as a SPAN session destination
monitor session 1 source tengigabitethernet2/1 both monitor session 1 destination interface port-channel 19
References
– Main.FredPettis - 2012-03-17