Re: RESOLVED: Myricom cards and multiple instances of Snort - how-to?

[Glenn Forbes Fleming Larratt <gl89 () cornell edu>]

Folks,

First off, thanks to Y M for the information he provided - it was crucial 
in understanding how *not* to make the Snort instances stomp on one 
another's logfiles.

I also owe a huge thank you to a colleague who knows the use of the 
Myricom card backwards and forwards; unfortunately, he must remain 
anonymous because of an NDA.

It turns out that:

 - the Sniffer10G driver - a separate purchase from Myricom over and above 
their 10G listener card, but worth it at 10x the $495 list price - handles
the PF_RING-equivalent functionality; you just need to know how to use it;

 - as noted in my original post, that driver installs a custom libpcap, 
and you need to compile Snort (or whatever) with the --with-pcap-includes
and --with-pcap-libraries set to point to that custom libpcap;

 - at that point, it's all controlled by environment variables:

   1. Set SNF_APP_ID to an arbitrary integer so that the driver will 
understand "this application is a separate one, and should get a complete 
copy of the take from the listener interface". In my deployment, Bro uses
SNF_APP_ID=1 and Snort uses SNF_APP_ID=2.

  2. Set SNF_NUM_RINGS to the number of processes across which the driver
should loadshare the take being delivered. The default value is one, and
it chews memory heartily to try and deliver the take from a 10G listener 
to a single Snort; CPU load on my 24-CPU listeners dropped dramatically
once this was configured correctly:

     11-process Bro loadshare, 1 snort process - CPU load from 2.0 - 11.0
     11-process Bro loadshare, 3-process Snort - CPU load from 2.9 - 3.9
     11-process Bro loadshare, 5-process Snort - CPU load from 2.9 - 5.0

Hope this helps someone!

        -g
--
Glenn Forbes Fleming Larratt
Cornell University IT Security Office

On Sat, 5 Sep 2015, Y M wrote:

> Comments inline.
>
> > Date: Thu, 3 Sep 2015 12:01:06 -0400
> > From: gl89 () cornell edu
> > To: snort-users () lists sourceforge net
> > Subject: [Snort-users] Myricom cards and multiple instances of Snort - how-to?
> >
> > Folks,
> >
> > We have a set of listener hosts with Myricom cards and their Sniffer-10G
> > driver.
> > 
>
> Not familiar with Myricom cards :)
>
> > In order to handle the quantity of traffic coming through, I need to
> > compile/configure/fold/spindle Snort into running multiple instances in
> > parallel per machine, and I'm not really getting how to do it. I've
> > compiled Snort 2.9.7.0 thus:
>
> Multiple Snort instance need to be run at the same time, most probably within the startup script looping through
> based on the number of instances required. Make sure you have dedicate directories for each instance. If you have
> 3 instances of Snort, then you need to have something like:
>
> Snort-1 --> Alerts --> /var/log/snort/snort-1
> Snort-2 --> Alerts --> /var/log/snort/snort-2
> Snort-3 --> Alerts --> /var/log/snort/snort-3
>
> The same goes for Snort's own logs:
>
> Snort-1 --> /var/snort/snort-1
> Snort-2 --> /var/snort/snort-2
> Snort-3 --> /var/snort/snort-3
>
> Also, if you are using Barnyard2 to out to database, make sure each instance has unique sensor name in
> Barnyard2's configuration file.
> >
> > ./configure \
> > --with-libpcap-includes=/opt/snf
> > --with-libpcap-libraries=/opt/snf
> > --with-daq-includes=/usr/local/include
> > --with-daq-libraries=/usr/local/lib
> > make
> > make install
> >
> > , but I suspect that I need to include PF_RING somehow, and can't figure
> > out the interplay between Snort, PF_RING, and the Sniffer-10G driver.
> > 
>
> What binaries were generated from compiling the Sniffer-10G driver? Network driver, libpcap, daq module? In
> PF_RING, the previous 3 binaries get generated and used with Snort. At least in 2013, someone mentioned that
> Myricom do not have native DAQ, see http://seclists.org/snort/2013/q3/316 (I suggest you go through the whole
> conversation, good info there). Do Myricom have native DAQ now?
>
> One thing you can try - if Myricom do not have their own DAQ - is to use PF_RING's DAQ module. Once complied, the
> binaries will reside in /usr/local/lib/daq. It is unclear to me if Myricom's libpcap will play nicely with
> PF_RING's DAQ. Then you can pass the daq type and variables to Snort command in your startup script or in the
> configuration file.. 
>
> > Would anyone out there with a similar deployment have any insights they
> > could share?
> >
> > Thanks,
> > --
> > Glenn Forbes Fleming Larratt
> > Cornell University IT Security Office
> >
> > ------------------------------------------------------------------------------
> > Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
> > Get real-time metrics from all of your servers, apps and tools
> > in one place.
> > SourceForge users - Click here to start your Free Trial of Datadog now!
> > http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!