Snort mailing list archives

Previous By Date Next
Previous By Thread Next

pf_ring and snort

From: James <snort () cyclohexane net>
Date: Mon, 19 Oct 2015 15:27:58 +0100
Hi all,

I'm attempting to make a set of instructions in advance of getting the
actual server to unleash it upon. The server will be RHEL 6.5 with a 10gb
intel nic, which I'd like to put snort in IDS mode on. I think I'm correct
that pf_ring is a "good thing", so I'd like to use that. I've spent days
trawling the web but have found lots of conflicting guides which have
confused as much as helped me. Could I ask someone to scan these steps and
tell me if I've missed something vital, done it in the wrong order or
otherwise done something stupid please? Your help is much appreciated.

The short version:
- Use yum to obtain a variety of things the subsequent steps depend on
- Use git to obtain pf_ring and install it
- Install the pf_ring ZC 10gb intel driver
- Get and install libdnet from source
- Get and install the snort daq from source
- Get and install snort from source
- Install the pf_ring daq module
- Start snort with some relevant pf_ring zc parameters
- If that works, next steps configuring snort and barnyard

The long version:

sudo yum -y install wget git kernel-devel libtool subversion automake make
autoconf pcre-devel libpcap-devel libpcap flex bison byacc gcc gcc-c++
zlib-devel numactl numactl-devel
sudo yum install "kernel-devel-uname-r == $(uname -r)"

git clone https://github.com/ntop/PF_RING.git
cd PF_RING/kernel
make
sudo make install
sudo insmod ./pf_ring.ko
cd ../userland
make
cd ../drivers/PF_RING_aware/intel/ixgbe/ixgbe-4.1.2-zc/src
make
./load_driver.sh

wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
tar zxvf libdnet-1.12.tgz
cd libdnet-1.12
./configure; make; sudo make install

wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
tar xvfz daq-2.0.6.tar.gz
cd daq-2.0.6
./configure; make; sudo make install

wget https://www.snort.org/downloads/snort/snort-2.9.7.6.tar.gz
tar xvfz snort-2.9.7.6.tar.gz
cd snort-2.9.7.6
./configure --enable-sourcefire -enable-reload; make; sudo make install

cd PF_RING/userland/snort/pfring-daq-module-zc
autoreconf -ivf
./configure
make
sudo make install

snort --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i
zc:eth1 --daq-var clusterid=1 -v -e

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: