Using PF_RING with Snort and Suricata for IDS/IPS Acceleration

Posted · Add Comment

Some users are exploiting PF_RING acceleration to improve popular IDS/IPS applications such as Snort and Suricata. Suricata leveraged PF_RING since day one thanks to Will Metcalf, whereas I have added (again together with Will) support in snort using the DAQ library part of the 2.9 version.

Acceleration does not mean just improved packet capture, but also the ability to fully exploit multicore architectures by spreading packets across multiple application instances. This is a unique feature that can’t be found in pcap-based libraries.

This is an excerpt from the snort-users mailing list that describes how to load balance traffic across multiple snort instances using the DAQ/PF_RING module.

Re: [Snort-users] Multiple Snort Instances – One Interface
From: Will Metcalf <william.metcalf@gm…> – 2010-10-29 18:40

Ahhh James Thorton you found the marble in the oatmeal your a lucky
lucky lucky little boy because you wanna know why you get to drink
from the IDS FIREHOSE!!!
Butchering quotes for Weird Al Yankovic’s masterpiece UHF aside, this
now possible with the version of PF_RING in SVN. It should be noted
that the code is probably still of beta quality.  Luca Deri did a lot
of awesome work developing a PF_RING aware DAQ module.  I helped a bit
by adding support for load balancing based on flow via PF_RING
clusters and setting per process affinity.  It is incomplete at the
moment i.e. last time a checked it didn’t have support for filtering
packets.  Additionally code should probably added to allow a list of
processes to be added to the cpu set. If you want to check it out you
can follow instructions here on building PF_RING as a dkms module.


http://www.openinfosecfoundation.org/doc/INSTALL.PF_RING.txt

Additionally you will have to build PF_RING aware daq by going into
the daq-0.2 dir and doing the following
./configure –with-libpfring-libraries=/opt/PF_RING/lib
–with-libpfring-includes=/opt/PF_RING/include
–with-libpcap-libraries=/opt/PF_RING/lib
–with-libpcap-includes=/opt/PF_RING/include
LD_RUN_PATH=”/opt/PF_RING/lib:/usr/lib:/usr/local/lib”
–prefix=/opt/PF_RING && make && sudo make install
Then download snort 2.9.0 and build with the following params.
PATH=”/opt/PF_RING/bin:$PATH” ./configure –enable-perfprofiling
–with-libpfring-libraries=/opt/PF_RING/lib
–with-libpfring-includes=/opt/PF_RING/include
–with-libpcap-libraries=/opt/PF_RING/lib
–with-libpcap-includes=/opt/PF_RING/include
LD_RUN_PATH=”/opt/PF_RING/lib:/usr/lib:/usr/local/lib”
–prefix=/opt/PF_RING && make && make install
/opt/PF_RING/bin/snort -c etc/snort.conf –pid-path=./log2 -D –daq
pfring -i eth1 –daq-var clusterid=44 –daq-var bindcpu=1 -l ./log1
/opt/PF_RING/bin/snort -c etc/snort.conf –pid-path=./log3 -D –daq
pfring -i eth1 –daq-var clusterid=44 –daq-var bindcpu=2 -l ./log2
/opt/PF_RING/bin/snort -c etc/snort.conf –pid-path=./log4 -D –daq
pfring -i eth1 –daq-var clusterid=44 –daq-var bindcpu=3 -l ./log3
You will then have traffic load balanced across multiple snort
processes based on flow. Enjoy drinking from the ids firehose ;-)…
Also, you could also always checkout other err ummm open source IDS
projects that support this functionality natively ;-)
Regards,
Will
On Fri, Oct 29, 2010 at 12:48 PM, James Thornton
<

james.f.thornton@gmail.com

> wrote:
> I could be mistaken, but believe you need the TNAPI driver with PF_RING to
> accomplish this.  TNAPI driver is roughly $400.  That is outside of my
> budget at the moment.
>
> Thanks,
>
> Jim T
>
> On Fri, Oct 29, 2010 at 1:30 PM, Will Metcalf <

william.metcalf@gmail.com

>
> wrote:
>>
>> Whats wrong with using PF_RING to do this? ;-)
>>
>> Regards,
>>
>> Will
>>
>> On Fri, Oct 29, 2010 at 8:38 AM, James Thornton
>> <

james.f.thornton@gmail.com

> wrote:
>> > All –
>> >
>> > On my quad core system, I would like to load-balance traffic from a
>> > single
>> > Ethernet device across two or four Snort processes.  Has anyone on the
>> > list
>> > accomplished this in the past?  Aside from the PF_RING library, I’ve had
>> > no
>> > success on Internet searches for load balancing software modules that
>> > provide this capability.  Any guidance from the group would be
>> > appreciated.
>> >
>> > Thank You,
>> >
>> > Jim T
>> >
>> >
>> > ——————————————————————————
>> > Nokia and AT&T present the 2010 Calling All Innovators-North America
>> > contest
>> > Create new apps & games for the Nokia N8 for consumers in  U.S. and
>> > Canada
>> > $10 million total in prizes – $4M cash, 500 devices, nearly $6M in
>> > marketing
>> > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
>> >

http://p.sf.net/sfu/nokia-dev2dev

>> > _______________________________________________
>> > Snort-users mailing list
>> >

Snort-users@lists.sourceforge.net

>> > Go to this URL to change user options or unsubscribe:
>> >

https://lists.sourceforge.net/lists/listinfo/snort-users

>> > Snort-users list archive:
>> >

http://www.geocrawler.com/redir-sf.php3?list=snort-users

>> >
>
>

Re: [Snort-users] Multiple Snort Instances – One Interface
From: Jim Hranicky <jfh@uf…> – 2010-11-01 15:52

On Fri, 29 Oct 2010 13:40:08 -0500
Will Metcalf <

william.metcalf@gmail.com

> wrote:
> You will then have traffic load balanced across multiple snort
> processes based on flow. Enjoy drinking from the ids firehose ;-)…
> Also, you could also always checkout other err ummm open source IDS
> projects that support this functionality natively ;-)
Damn:
— /tmp/snort1.out —
*** Caught Usr-Signal
Packet I/O Totals:
Received:      2608501
Analyzed:      2608501 (100.000%)
Dropped:            0 (  0.000%)
Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
Injected:            0
— /tmp/snort2.out —
*** Caught Usr-Signal
Packet I/O Totals:
Received:      2988261
Analyzed:      2988261 (100.000%)
Dropped:            0 (  0.000%)
Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
Injected:            0
— /tmp/snort3.out —
*** Caught Usr-Signal
Packet I/O Totals:
Received:      2417539
Analyzed:      2417539 (100.000%)
Dropped:            0 (  0.000%)
Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
Injected:            0
— /tmp/snort4.out —
*** Caught Usr-Signal
Packet I/O Totals:
Received:      2382326
Analyzed:      2382326 (100.000%)
Dropped:            0 (  0.000%)
Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
Injected:            0
— /tmp/snort5.out —
*** Caught Usr-Signal
Packet I/O Totals:
Received:      2427689
Analyzed:      2427689 (100.000%)
Dropped:            0 (  0.000%)
Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
Injected:            0
— /tmp/snort6.out —
*** Caught Usr-Signal
Packet I/O Totals:
Received:      2577258
Analyzed:      2577258 (100.000%)
Dropped:            0 (  0.000%)
Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
Injected:            0
— /tmp/snort7.out —
*** Caught Usr-Signal
Packet I/O Totals:
Received:      2406892
Analyzed:      2406892 (100.000%)
Dropped:            0 (  0.000%)
Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
Injected:            0
— /tmp/snort8.out —
*** Caught Usr-Signal
Packet I/O Totals:
Received:      2528434
Analyzed:      2528434 (100.000%)
Dropped:            0 (  0.000%)
Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
Injected:            0
That was 5 minutes ago…I’m now up to ~7M Received/Analyzed per process
without a drop on any.
Wow.
Jim Hranicky
IT Security Engineer
Office of Information Security and Compliance
University of Florida