Re: pf_ring and snort

[Richard Monk <rmonk () redhat com>]

On 10/19/2015 10:27 AM, James wrote:
> I'm attempting to make a set of instructions in advance of getting the actual
> server to unleash it upon. The server will be RHEL 6.5 with a 10gb intel nic,
> which I'd like to put snort in IDS mode on. I think I'm correct that pf_ring is
> a "good thing", so I'd like to use that. I've spent days trawling the web but
> have found lots of conflicting guides which have confused as much as helped me.
> Could I ask someone to scan these steps and tell me if I've missed something
> vital, done it in the wrong order or otherwise done something stupid please?
> Your help is much appreciated.

This is something we are doing on our sensornet, but by checking my email
domain, you can probably tell we like things in RPMs :)

I've attached the .spec file I use to build pf_ring, it might save you a couple
steps and make it easier to replicate builds.  This uses dkms to make sure the
kernel drivers are rebuilt if the kernel updates.

I'm using slightly modded specs from snort's download section (theirs do not
build in a mock environment due to bad deps in the spec) but I also have specs
for the daq, snort, etc if you want those as well.  I won't post them as they're
not nearly as big a change as the pfring stuff above.

-- 
Richard Monk (rmonk () redhat com) - Security Analyst
Red Hat, Raleigh NC
GPG Key ID: 0x942CDB25

Attachment: pfring.spec
Description:

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!