4. Using Snort with PF_RING ZC

4.1. Prerequisites

Make sure you have installed:

4.2. Compilation

git clone https://github.com/ntop/PF_RING.git
cd PF_RING/kernel
make && sudo make install

cd PF_RING/userland/lib
./configure && make && sudo make install

cd PF_RING/userland/snort/pfring-daq-module-zc
autoreconf -ivf

4.3. Installation

Install the library with:

sudo cp .libs/daq_pfring_zc.so /usr/local/lib/daq/

or alternatively with:

sudo make install

or if you want to run snort without installing it use “–daq-dir=./.libs”

4.4. Running snort in IDS mode

snort --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i zc:eth0 --daq-var clusterid=99 -v -e

It is possible to specify multiple interfaces by using a comma-separated list.

4.5. Running snort in IPS mode

snort --daq-dir=/usr/local/lib/daq --daq pfring_zc  -i zc:eth0+zc:eth1 --daq-var clusterid=99 -e -Q

It is possible to specify multiple interface pairs by using a comma-separated list.

4.6. PF_RING ZC DAQ Specific Options

  1. Cluster ID

Each snort instance creates an internal ZC Cluster, each cluster needs a unique Cluster ID that can be specified with:

--daq-var clusterid=<cluster id>
  1. Bind an instance to a core

Proper core insulation, grants snort instances not to step on each other’s feet. In order to bind an instance to a specific core do:

--daq-var bindcpu=<core id>
  1. IDS forwarding

If you want to forward incoming packets while snort is running in IDS mode, you can specify the ids bridge mode with:

--daq-var idsbridge=1

If you prefer higher forwarding speed instead to analysing every single packet, you can specify a “best-effort” IDS bridge mode with:

--daq-var idsbridge=2

4.7. Napatech Streams and IPS/IDS-Bridge

Napatech streams are not network interfaces, this means in case of IPS or IDS bridge mode you also need to specify the corresponding port for packet transmission (syntax: <rx port>-<tx port>).

snort --daq-dir=/usr/local/lib/daq --daq pfring_zc  -i nt:streamX-nt:Z+nt:streamY-nt:W -e -Q

Where Z is the port bound to stream X and W is the port bound to stream Y.

4.8. Example of Symmetric RSS + Core Binding

IDS mode:

snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/bpbr0/instance-1 --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i zc:eth2+zc:eth3 --daq-var clusterid=0 --daq-var idsbridge=1 --daq-var bindcpu=1

IPS mode:

snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/bpbr0/instance-1 --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode inline -i zc:eth2+zc:eth3 --daq-var clusterid=0 --daq-var bindcpu=1

IDS with Multiqueue and Symmetric RSS:

snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/bpbr0/instance-1 --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i zc:eth2@0+zc:eth3@0 --daq-var clusterid=0 --daq-var idsbridge=1 --daq-var bindcpu=0
snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/bpbr0/instance-2 --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i zc:eth2@1+zc:eth3@1 --daq-var clusterid=1 --daq-var idsbridge=1 --daq-var bindcpu=1
snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/bpbr0/instance-3 --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i zc:eth2@2+zc:eth3@2 --daq-var clusterid=2 --daq-var idsbridge=1 --daq-var bindcpu=2
snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/bpbr0/instance-4 --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i zc:eth2@3+zc:eth3@3 --daq-var clusterid=3 --daq-var idsbridge=1 --daq-var bindcpu=3

IPS with Multiqueue and Symmetric RSS:

snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/bpbr0/instance-1 --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode inline -i zc:eth2@0+zc:eth3@0 --daq-var clusterid=0 --daq-var bindcpu=0
snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/bpbr0/instance-2 --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode inline -i zc:eth2@1+zc:eth3@1 --daq-var clusterid=1 --daq-var bindcpu=1
snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/bpbr0/instance-3 --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode inline -i zc:eth2@2+zc:eth3@2 --daq-var clusterid=2 --daq-var bindcpu=2
snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/bpbr0/instance-4 --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode inline -i zc:eth2@3+zc:eth3@3 --daq-var clusterid=3 --daq-var bindcpu=3

4.9. PF_RING FT Acceleration

In order to take advantage of the PF_RING FT L7 filtering/shunting, you also need nDPI. Since PF_RING 7.3 ndpi is installed as a dependency of pfring when installing from packages. If you are compiling from source code, or using an older version of PF_RING, you need to manually install the nDPI library from https://github.com/ntop/nDPI following the steps below:

git clone https://github.com/ntop/nDPI.git
cd nDPI
make && sudo make install

Then you need to create a configuration file with the filtering rules:

# cat /etc/pf_ring/ft-rules.conf
YouTube = discard
Netflix = discard

At this point you are ready to run Snort, setting the path of the configuration file using the PF_RING_FT_CONF environment variable:

sudo PF_RING_FT_CONF=/etc/pf_ring/ft-rules.conf snort --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i zc:ethX --daq-var clusterid=Z -v -e

For further information about PF_RING FT please read http://www.ntop.org/guides/pf_ring/ft.html