4. Using Snort with PF_RING ZC¶
4.1. Prerequisites¶
Make sure you have installed:
- Snort 2.9 or later
- Snort with DAQ include files/libraries (0.6.2, 1.1.1, and 2.0). You can do that downloading snort and DAQ from http://www.snort.org/snort-downloads?
4.2. Compilation¶
git clone https://github.com/ntop/PF_RING.git
cd PF_RING/kernel
make && sudo make install
cd PF_RING/userland/lib
./configure && make && sudo make install
cd PF_RING/userland/snort/pfring-daq-module-zc
autoreconf -ivf
./configure
make
4.3. Installation¶
Install the library with:
sudo cp .libs/daq_pfring_zc.so /usr/local/lib/daq/
or alternatively with:
sudo make install
or if you want to run snort without installing it use “–daq-dir=./.libs”
4.4. Running snort in IDS mode¶
snort --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i zc:eth0 --daq-var clusterid=99 -v -e
It is possible to specify multiple interfaces by using a comma-separated list.
4.5. Running snort in IPS mode¶
snort --daq-dir=/usr/local/lib/daq --daq pfring_zc -i zc:eth0+zc:eth1 --daq-var clusterid=99 -e -Q
It is possible to specify multiple interface pairs by using a comma-separated list.
4.6. PF_RING ZC DAQ Specific Options¶
- Cluster ID
Each snort instance creates an internal ZC Cluster, each cluster needs a unique Cluster ID that can be specified with:
--daq-var clusterid=<cluster id>
- Bind an instance to a core
Proper core insulation, grants snort instances not to step on each other’s feet. In order to bind an instance to a specific core do:
--daq-var bindcpu=<core id>
- IDS forwarding
If you want to forward incoming packets while snort is running in IDS mode, you can specify the ids bridge mode with:
--daq-var idsbridge=1
If you prefer higher forwarding speed instead to analysing every single packet, you can specify a “best-effort” IDS bridge mode with:
--daq-var idsbridge=2
4.7. Napatech Streams and IPS/IDS-Bridge¶
Napatech streams are not network interfaces, this means in case of IPS or IDS bridge mode you also need to specify the corresponding port for packet transmission (syntax: <rx port>-<tx port>).
snort --daq-dir=/usr/local/lib/daq --daq pfring_zc -i nt:streamX-nt:Z+nt:streamY-nt:W -e -Q
Where Z is the port bound to stream X and W is the port bound to stream Y.
4.8. Example of Symmetric RSS + Core Binding¶
IDS mode:
snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/bpbr0/instance-1 --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i zc:eth2+zc:eth3 --daq-var clusterid=0 --daq-var idsbridge=1 --daq-var bindcpu=1
IPS mode:
snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/bpbr0/instance-1 --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode inline -i zc:eth2+zc:eth3 --daq-var clusterid=0 --daq-var bindcpu=1
IDS with Multiqueue and Symmetric RSS:
snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/bpbr0/instance-1 --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i zc:eth2@0+zc:eth3@0 --daq-var clusterid=0 --daq-var idsbridge=1 --daq-var bindcpu=0
snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/bpbr0/instance-2 --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i zc:eth2@1+zc:eth3@1 --daq-var clusterid=1 --daq-var idsbridge=1 --daq-var bindcpu=1
snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/bpbr0/instance-3 --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i zc:eth2@2+zc:eth3@2 --daq-var clusterid=2 --daq-var idsbridge=1 --daq-var bindcpu=2
snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/bpbr0/instance-4 --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i zc:eth2@3+zc:eth3@3 --daq-var clusterid=3 --daq-var idsbridge=1 --daq-var bindcpu=3
IPS with Multiqueue and Symmetric RSS:
snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/bpbr0/instance-1 --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode inline -i zc:eth2@0+zc:eth3@0 --daq-var clusterid=0 --daq-var bindcpu=0
snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/bpbr0/instance-2 --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode inline -i zc:eth2@1+zc:eth3@1 --daq-var clusterid=1 --daq-var bindcpu=1
snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/bpbr0/instance-3 --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode inline -i zc:eth2@2+zc:eth3@2 --daq-var clusterid=2 --daq-var bindcpu=2
snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/bpbr0/instance-4 --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode inline -i zc:eth2@3+zc:eth3@3 --daq-var clusterid=3 --daq-var bindcpu=3
4.9. PF_RING FT Acceleration¶
In order to take advantage of the PF_RING FT L7 filtering/shunting, you also need nDPI. Since PF_RING 7.3 ndpi is installed as a dependency of pfring when installing from packages. If you are compiling from source code, or using an older version of PF_RING, you need to manually install the nDPI library from https://github.com/ntop/nDPI following the steps below:
git clone https://github.com/ntop/nDPI.git
cd nDPI
./autogen.sh
make && sudo make install
Then you need to create a configuration file with the filtering rules:
# cat /etc/pf_ring/ft-rules.conf
[filter]
YouTube = discard
Netflix = discard
At this point you are ready to run Snort, setting the path of the configuration file using the PF_RING_FT_CONF environment variable:
sudo PF_RING_FT_CONF=/etc/pf_ring/ft-rules.conf snort --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i zc:ethX --daq-var clusterid=Z -v -e
For further information about PF_RING FT please read http://www.ntop.org/guides/pf_ring/ft.html