3. Using Snort with PF_RING

3.1. Prerequisites

Make sure you have installed:

3.2. Compilation

git clone https://github.com/ntop/PF_RING.git
cd PF_RING/kernel
make && sudo make install

cd PF_RING/userland/lib
./configure && make && sudo make install

cd PF_RING/userland/snort/pfring-daq-module
autoreconf -ivf
./configure
make

3.3. Configure Options

If you do not have PF_RING installed, nor in the “$HOME/PF_RING” path, a few configure options are available:

--with-libpfring-includes=<libpfring include directory>
--with-pfring-kernel-includes=<pfring kernel include directory>
--with-libpfring-libraries=<libpfring library directory>

3.4. Installation

Install the library with:

sudo cp .libs/daq_pfring.so /usr/local/lib/daq/

or alternatively with:

sudo make install

or if you want to run snort without installing it use “–daq-dir=./.libs”

3.5. Running snort in IDS mode

snort --daq-dir=/usr/local/lib/daq --daq pfring --daq-mode passive -i eth0 -v -e

It is possible to specify multiple interfaces by using a comma-separated list.

3.6. Running snort in IPS mode

snort --daq-dir=/usr/local/lib/daq --daq pfring  -i eth0:eth1 -e -Q

It is possible to specify multiple interface pairs by using a comma-separated list.

3.7. PF_RING DAQ Specific Options

  1. Kernel Filters

By default, PF_RING kernel filtering rules are added whenever snort’s verdict requests to drop specific flows. If you want instead snort (and not PF_RING) drop packets (i.e. don’t add automatically PF_RING kernel filtering rules) add:

--daq-var no-kernel-filters

Kernel filtering rules idle for more than 5 minutes are automatically removed. In order to change the default timeout for idle rules do:

--daq-var kernel-filters-idle-timeout=<seconds>
  1. Socket clustering

PF_RING allows you to distribute packets across multiple processes by using socket clusters. For instance two snort instances bound to the same clusterId receive each a subset of packets so that both can cooperatively share the load. In order to enable this feature do:

--daq-var clusterid=<comma separated id list>

where an id is a number (i.e. the clusterId), one for each interface. It is also possible to specify the cluster mode, with:

--daq-var clustermode=<mode>

where valid mode values are:

  • 2 for 2-tuple flow
  • 4 for 4-tuple flow
  • 5 for 5-tuple flow
  • 6 for 6-tuple flow
  1. Bind an instance to a core

Proper core insulation, grants snort instances not to step on each other’s feet. In order to bind an instance to a specific core do:

--daq-var bindcpu=<core id>
  1. Kernel-level forwarding in IDS mode

If you want to forward incoming packets at kernel level while snort is running in IDS mode, you can specify a destination interface for each ingress interface with:

--daq-var lowlevelbridge=<comma-separated interface list>
  1. Fast TX in IPS mode

Since forwarding packets from userspace requires additional copies (thus affecting performances), it is possible to forward at kernel level the packets for which snort gives a positive verdict:

--daq-var fast-tx
  1. Packet capture tuning

It is possible to tune the packet capture activity specifying the poll() timeout:

--daq-var timeout=<milliseconds>

and the watermark (min number of incoming packets for the poll() to return):

--daq-var watermark=<packets>

3.8. Example of Clustering + Core Binding

IDS mode:

snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/bpbr0/instance-1 --daq-dir=/usr/local/lib/daq --daq pfring --daq-mode passive -i eth2,eth3 --daq-var lowlevelbridge=eth3,eth2 --daq-var clusterid=10,11 --daq-var bindcpu=1
snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/bpbr0/instance-2 --daq-dir=/usr/local/lib/daq --daq pfring --daq-mode passive -i eth2,eth3 --daq-var lowlevelbridge=eth3,eth2 --daq-var clusterid=10,11 --daq-var bindcpu=2
snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/bpbr0/instance-3 --daq-dir=/usr/local/lib/daq --daq pfring --daq-mode passive -i eth2,eth3 --daq-var lowlevelbridge=eth3,eth2 --daq-var clusterid=10,11 --daq-var bindcpu=3
snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/bpbr0/instance-4 --daq-dir=/usr/local/lib/daq --daq pfring --daq-mode passive -i eth2,eth3 --daq-var lowlevelbridge=eth3,eth2 --daq-var clusterid=10,11 --daq-var bindcpu=4

IPS mode:

snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/bpbr0/instance-1 --daq-dir=/usr/local/lib/daq --daq pfring --daq-mode inline -i eth2:eth3 --daq-var fast-tx=1 --daq-var clusterid=10,11 --daq-var bindcpu=1
snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/bpbr0/instance-2 --daq-dir=/usr/local/lib/daq --daq pfring --daq-mode inline -i eth2:eth3 --daq-var fast-tx=1 --daq-var clusterid=10,11 --daq-var bindcpu=2
snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/bpbr0/instance-3 --daq-dir=/usr/local/lib/daq --daq pfring --daq-mode inline -i eth2:eth3 --daq-var fast-tx=1 --daq-var clusterid=10,11 --daq-var bindcpu=3
snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/bpbr0/instance-4 --daq-dir=/usr/local/lib/daq --daq pfring --daq-mode inline -i eth2:eth3 --daq-var fast-tx=1 --daq-var clusterid=10,11 --daq-var bindcpu=4

3.9. PF_RING FT Acceleration

In order to take advantage of the PF_RING FT L7 filtering/shunting, you also need nDPI. Since PF_RING 7.3 ndpi is installed as a dependency of pfring when installing from packages. If you are compiling from source code, or using an older version of PF_RING, you need to manually install the nDPI library from https://github.com/ntop/nDPI following the steps below:

git clone https://github.com/ntop/nDPI.git
cd nDPI
./autogen.sh
make && sudo make install

Then you need to create a configuration file with the filtering rules:

# cat /etc/pf_ring/ft-rules.conf
[filter]
YouTube = discard
Netflix = discard

At this point you are ready to run Snort, setting the path of the configuration file using the PF_RING_FT_CONF environment variable:

sudo PF_RING_FT_CONF=/etc/pf_ring/ft-rules.conf snort --daq-dir=/usr/local/lib/daq --daq pfring --daq-mode passive -i ethX -v -e

For further information about PF_RING FT please read http://www.ntop.org/guides/pf_ring/ft.html