Snort mailing list archives
Re: Multiple Snort Instances - One Interface
From: Will Metcalf <william.metcalf () gmail com>
Date: Fri, 29 Oct 2010 13:40:08 -0500
Ahhh James Thorton you found the marble in the oatmeal your a lucky lucky lucky little boy because you wanna know why you get to drink from the IDS FIREHOSE!!! Butchering quotes for Weird Al Yankovic's masterpiece UHF aside, this now possible with the version of PF_RING in SVN. It should be noted that the code is probably still of beta quality. Luca Deri did a lot of awesome work developing a PF_RING aware DAQ module. I helped a bit by adding support for load balancing based on flow via PF_RING clusters and setting per process affinity. It is incomplete at the moment i.e. last time a checked it didn't have support for filtering packets. Additionally code should probably added to allow a list of processes to be added to the cpu set. If you want to check it out you can follow instructions here on building PF_RING as a dkms module. http://www.openinfosecfoundation.org/doc/INSTALL.PF_RING.txt Additionally you will have to build PF_RING aware daq by going into the daq-0.2 dir and doing the following ./configure --with-libpfring-libraries=/opt/PF_RING/lib --with-libpfring-includes=/opt/PF_RING/include --with-libpcap-libraries=/opt/PF_RING/lib --with-libpcap-includes=/opt/PF_RING/include LD_RUN_PATH="/opt/PF_RING/lib:/usr/lib:/usr/local/lib" --prefix=/opt/PF_RING && make && sudo make install Then download snort 2.9.0 and build with the following params. PATH="/opt/PF_RING/bin:$PATH" ./configure --enable-perfprofiling --with-libpfring-libraries=/opt/PF_RING/lib --with-libpfring-includes=/opt/PF_RING/include --with-libpcap-libraries=/opt/PF_RING/lib --with-libpcap-includes=/opt/PF_RING/include LD_RUN_PATH="/opt/PF_RING/lib:/usr/lib:/usr/local/lib" --prefix=/opt/PF_RING && make && make install /opt/PF_RING/bin/snort -c etc/snort.conf --pid-path=./log2 -D --daq pfring -i eth1 --daq-var clusterid=44 --daq-var bindcpu=1 -l ./log1 /opt/PF_RING/bin/snort -c etc/snort.conf --pid-path=./log3 -D --daq pfring -i eth1 --daq-var clusterid=44 --daq-var bindcpu=2 -l ./log2 /opt/PF_RING/bin/snort -c etc/snort.conf --pid-path=./log4 -D --daq pfring -i eth1 --daq-var clusterid=44 --daq-var bindcpu=3 -l ./log3 You will then have traffic load balanced across multiple snort processes based on flow. Enjoy drinking from the ids firehose ;-)... Also, you could also always checkout other err ummm open source IDS projects that support this functionality natively ;-) Regards, Will On Fri, Oct 29, 2010 at 12:48 PM, James Thornton <james.f.thornton () gmail com> wrote:
I could be mistaken, but believe you need the TNAPI driver with PF_RING to accomplish this. TNAPI driver is roughly $400. That is outside of my budget at the moment. Thanks, Jim T On Fri, Oct 29, 2010 at 1:30 PM, Will Metcalf <william.metcalf () gmail com> wrote:Whats wrong with using PF_RING to do this? ;-) Regards, Will On Fri, Oct 29, 2010 at 8:38 AM, James Thornton <james.f.thornton () gmail com> wrote:All - On my quad core system, I would like to load-balance traffic from a single Ethernet device across two or four Snort processes. Has anyone on the list accomplished this in the past? Aside from the PF_RING library, I've had no success on Internet searches for load balancing software modules that provide this capability. Any guidance from the group would be appreciated. Thank You, Jim T ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Multiple Snort Instances - One Interface James Thornton (Oct 29)
- Re: Multiple Snort Instances - One Interface Will Metcalf (Oct 29)
- Re: Multiple Snort Instances - One Interface James Thornton (Oct 29)
- Re: Multiple Snort Instances - One Interface Will Metcalf (Oct 29)
- Re: Multiple Snort Instances - One Interface Jim Hranicky (Nov 01)
- Re: Multiple Snort Instances - One Interface Jim Hranicky (Nov 01)
- Re: Multiple Snort Instances - One Interface Will Metcalf (Nov 01)
- Re: Multiple Snort Instances - One Interface James Thornton (Oct 29)
- Re: Multiple Snort Instances - One Interface Will Metcalf (Oct 29)