Snort mailing list archives
Re: Myricom cards and multiple instances of Snort - how-to?
From: Y M <snort () outlook com>
Date: Sat, 5 Sep 2015 16:56:37 +0000
Comments inline.
Date: Thu, 3 Sep 2015 12:01:06 -0400 From: gl89 () cornell edu To: snort-users () lists sourceforge net Subject: [Snort-users] Myricom cards and multiple instances of Snort - how-to? Folks, We have a set of listener hosts with Myricom cards and their Sniffer-10G driver.
Not familiar with Myricom cards :)
In order to handle the quantity of traffic coming through, I need to compile/configure/fold/spindle Snort into running multiple instances in parallel per machine, and I'm not really getting how to do it. I've compiled Snort 2.9.7.0 thus:
Multiple Snort instance need to be run at the same time, most probably within the startup script looping through based on the number of instances required. Make sure you have dedicate directories for each instance. If you have 3 instances of Snort, then you need to have something like: Snort-1 --> Alerts --> /var/log/snort/snort-1Snort-2 --> Alerts --> /var/log/snort/snort-2Snort-3 --> Alerts --> /var/log/snort/snort-3 The same goes for Snort's own logs: Snort-1 --> /var/snort/snort-1Snort-2 --> /var/snort/snort-2Snort-3 --> /var/snort/snort-3 Also, if you are using Barnyard2 to out to database, make sure each instance has unique sensor name in Barnyard2's configuration file.
./configure \ --with-libpcap-includes=/opt/snf --with-libpcap-libraries=/opt/snf --with-daq-includes=/usr/local/include --with-daq-libraries=/usr/local/lib make make install , but I suspect that I need to include PF_RING somehow, and can't figure out the interplay between Snort, PF_RING, and the Sniffer-10G driver.
What binaries were generated from compiling the Sniffer-10G driver? Network driver, libpcap, daq module? In PF_RING, the previous 3 binaries get generated and used with Snort. At least in 2013, someone mentioned that Myricom do not have native DAQ, see http://seclists.org/snort/2013/q3/316 (I suggest you go through the whole conversation, good info there). Do Myricom have native DAQ now? One thing you can try - if Myricom do not have their own DAQ - is to use PF_RING's DAQ module. Once complied, the binaries will reside in /usr/local/lib/daq. It is unclear to me if Myricom's libpcap will play nicely with PF_RING's DAQ. Then you can pass the daq type and variables to Snort command in your startup script or in the configuration file..
Would anyone out there with a similar deployment have any insights they could share? Thanks, -- Glenn Forbes Fleming Larratt Cornell University IT Security Office ------------------------------------------------------------------------------ Monitor Your Dynamic Infrastructure at Any Scale With Datadog! Get real-time metrics from all of your servers, apps and tools in one place. SourceForge users - Click here to start your Free Trial of Datadog now! http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Myricom cards and multiple instances of Snort - how-to? Glenn Forbes Fleming Larratt (Sep 03)
- Re: Myricom cards and multiple instances of Snort - how-to? Y M (Sep 05)
- Re: RESOLVED: Myricom cards and multiple instances of Snort - how-to? Glenn Forbes Fleming Larratt (Sep 22)
- Re: Myricom cards and multiple instances of Snort - how-to? Y M (Sep 05)