Using PF_RING with Snort and Suricata for IDS/IPS Acceleration

Some users are exploiting PF_RING acceleration to improve popular IDS/IPS applications such as Snort and Suricata. Suricata leveraged PF_RING since day one thanks to Will Metcalf, whereas I have added (again together with Will) support in snort using the DAQ library part of the 2.9 version.

Acceleration does not mean just improved packet capture, but also the ability to fully exploit multicore architectures by spreading packets across multiple application instances. This is a unique feature that can’t be found in pcap-based libraries.

This is an excerpt from the snort-users mailing list that describes how to load balance traffic across multiple snort instances using the DAQ/PF_RING module.

Re: [Snort-users] Multiple Snort Instances – One Interface
From: Will Metcalf <william.metcalf@gm…> – 2010-10-29 18:40

Ahhh James Thorton you found the marble in the oatmeal your a lucky

lucky lucky little boy because you wanna know why you get to drink

from the IDS FIREHOSE!!!

Butchering quotes for Weird Al Yankovic’s masterpiece UHF aside, this

now possible with the version of PF_RING in SVN. It should be noted

that the code is probably still of beta quality.  Luca Deri did a lot

of awesome work developing a PF_RING aware DAQ module.  I helped a bit

by adding support for load balancing based on flow via PF_RING

clusters and setting per process affinity.  It is incomplete at the

moment i.e. last time a checked it didn’t have support for filtering

packets.  Additionally code should probably added to allow a list of

processes to be added to the cpu set. If you want to check it out you

can follow instructions here on building PF_RING as a dkms module.

http://www.openinfosecfoundation.org/doc/INSTALL.PF_RING.txt

Additionally you will have to build PF_RING aware daq by going into

the daq-0.2 dir and doing the following

./configure –with-libpfring-libraries=/opt/PF_RING/lib

–with-libpfring-includes=/opt/PF_RING/include

–with-libpcap-libraries=/opt/PF_RING/lib

–with-libpcap-includes=/opt/PF_RING/include

LD_RUN_PATH=”/opt/PF_RING/lib:/usr/lib:/usr/local/lib”

–prefix=/opt/PF_RING && make && sudo make install

Then download snort 2.9.0 and build with the following params.

PATH=”/opt/PF_RING/bin:$PATH” ./configure –enable-perfprofiling

–with-libpfring-libraries=/opt/PF_RING/lib

–with-libpfring-includes=/opt/PF_RING/include

–with-libpcap-libraries=/opt/PF_RING/lib

–with-libpcap-includes=/opt/PF_RING/include

LD_RUN_PATH=”/opt/PF_RING/lib:/usr/lib:/usr/local/lib”

–prefix=/opt/PF_RING && make && make install

/opt/PF_RING/bin/snort -c etc/snort.conf –pid-path=./log2 -D –daq

pfring -i eth1 –daq-var clusterid=44 –daq-var bindcpu=1 -l ./log1

/opt/PF_RING/bin/snort -c etc/snort.conf –pid-path=./log3 -D –daq

pfring -i eth1 –daq-var clusterid=44 –daq-var bindcpu=2 -l ./log2

/opt/PF_RING/bin/snort -c etc/snort.conf –pid-path=./log4 -D –daq

pfring -i eth1 –daq-var clusterid=44 –daq-var bindcpu=3 -l ./log3

You will then have traffic load balanced across multiple snort

processes based on flow. Enjoy drinking from the ids firehose ;-)…

Also, you could also always checkout other err ummm open source IDS

projects that support this functionality natively ;-)

Regards,

Will

On Fri, Oct 29, 2010 at 12:48 PM, James Thornton

<

james.f.thornton@gmail.com

> wrote:

> I could be mistaken, but believe you need the TNAPI driver with PF_RING to

> accomplish this.  TNAPI driver is roughly $400.  That is outside of my

> budget at the moment.

>

> Thanks,

>

> Jim T

>

> On Fri, Oct 29, 2010 at 1:30 PM, Will Metcalf <

william.metcalf@gmail.com

>

> wrote:

>>

>> Whats wrong with using PF_RING to do this? ;-)

>>

>> Regards,

>>

>> Will

>>

>> On Fri, Oct 29, 2010 at 8:38 AM, James Thornton

>> <

james.f.thornton@gmail.com

> wrote:

>> > All –

>> >

>> > On my quad core system, I would like to load-balance traffic from a

>> > single

>> > Ethernet device across two or four Snort processes.  Has anyone on the

>> > list

>> > accomplished this in the past?  Aside from the PF_RING library, I’ve had

>> > no

>> > success on Internet searches for load balancing software modules that

>> > provide this capability.  Any guidance from the group would be

>> > appreciated.

>> >

>> > Thank You,

>> >

>> > Jim T

>> >

>> >

>> > ——————————————————————————

>> > Nokia and AT&T present the 2010 Calling All Innovators-North America

>> > contest

>> > Create new apps & games for the Nokia N8 for consumers in  U.S. and

>> > Canada

>> > $10 million total in prizes – $4M cash, 500 devices, nearly $6M in

>> > marketing

>> > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store

>> >

http://p.sf.net/sfu/nokia-dev2dev

>> > _______________________________________________

>> > Snort-users mailing list

>> >

Snort-users@lists.sourceforge.net

>> > Go to this URL to change user options or unsubscribe:

>> >

https://lists.sourceforge.net/lists/listinfo/snort-users

>> > Snort-users list archive:

>> >

http://www.geocrawler.com/redir-sf.php3?list=snort-users

>> >

>

>

Re: [Snort-users] Multiple Snort Instances – One Interface
From: Jim Hranicky <jfh@uf…> – 2010-11-01 15:52

On Fri, 29 Oct 2010 13:40:08 -0500

Will Metcalf <

william.metcalf@gmail.com

> wrote:

> You will then have traffic load balanced across multiple snort

> processes based on flow. Enjoy drinking from the ids firehose ;-)…

> Also, you could also always checkout other err ummm open source IDS

> projects that support this functionality natively ;-)

Damn:

— /tmp/snort1.out —

*** Caught Usr-Signal

Packet I/O Totals:

Received:      2608501

Analyzed:      2608501 (100.000%)

Dropped:            0 (  0.000%)

Filtered:            0 (  0.000%)

Outstanding:            0 (  0.000%)

Injected:            0

— /tmp/snort2.out —

*** Caught Usr-Signal

Packet I/O Totals:

Received:      2988261

Analyzed:      2988261 (100.000%)

Dropped:            0 (  0.000%)

Filtered:            0 (  0.000%)

Outstanding:            0 (  0.000%)

Injected:            0

— /tmp/snort3.out —

*** Caught Usr-Signal

Packet I/O Totals:

Received:      2417539

Analyzed:      2417539 (100.000%)

Dropped:            0 (  0.000%)

Filtered:            0 (  0.000%)

Outstanding:            0 (  0.000%)

Injected:            0

— /tmp/snort4.out —

*** Caught Usr-Signal

Packet I/O Totals:

Received:      2382326

Analyzed:      2382326 (100.000%)

Dropped:            0 (  0.000%)

Filtered:            0 (  0.000%)

Outstanding:            0 (  0.000%)

Injected:            0

— /tmp/snort5.out —

*** Caught Usr-Signal

Packet I/O Totals:

Received:      2427689

Analyzed:      2427689 (100.000%)

Dropped:            0 (  0.000%)

Filtered:            0 (  0.000%)

Outstanding:            0 (  0.000%)

Injected:            0

— /tmp/snort6.out —

*** Caught Usr-Signal

Packet I/O Totals:

Received:      2577258

Analyzed:      2577258 (100.000%)

Dropped:            0 (  0.000%)

Filtered:            0 (  0.000%)

Outstanding:            0 (  0.000%)

Injected:            0

— /tmp/snort7.out —

*** Caught Usr-Signal

Packet I/O Totals:

Received:      2406892

Analyzed:      2406892 (100.000%)

Dropped:            0 (  0.000%)

Filtered:            0 (  0.000%)

Outstanding:            0 (  0.000%)

Injected:            0

— /tmp/snort8.out —

*** Caught Usr-Signal

Packet I/O Totals:

Received:      2528434

Analyzed:      2528434 (100.000%)

Dropped:            0 (  0.000%)

Filtered:            0 (  0.000%)

Outstanding:            0 (  0.000%)

Injected:            0

That was 5 minutes ago…I’m now up to ~7M Received/Analyzed per process

without a drop on any.

Wow.

—

Jim Hranicky

IT Security Engineer

Office of Information Security and Compliance

University of Florida