Accelerating Snort with PF_RING DNA

Posted · Add Comment

Since some time, PF_RING includes a DAQ (Data AcQuisition library) module for the popular Snort IDS/IPS. With respect to Linux AF_PACKET, the use of PF_RING significantly accelerates all snort operations. We have recently created a new DAQ module that adds native PF_RING DNA support, further accelerating the vanilla PF_RING DAQ module from 20 to 50%. The support of DNA in addition to greater speed, also has the advantage of exploiting symmetric RSS, so that you can run one snort instance per RX queue and be sure that such instance will process a coherent set of packets, property that does not hold with the standard RSS. This is the key for scalability on multi-core systems.

Conceptually the DNA DAQ module is similar to the PF_RING DAQ module in terms of command line options, so users familiar with it can immediately use the new DAQ module. In order to use DNA DAQ you need a DNA-aware adapter.

You can get PF_RING DNA DAQ on the ntop shop site for a little fee that allows us to maintain and develop the code. Universities and research institutions can contact us to get it at no cost.

Usage Examples

  • Running snort in IDS mode 
    # snort --daq-dir=/usr/local/lib/daq --daq pfring_dna --daq-mode passive -i dnaX -v -e

    Note that it is possible to specify multiple interfaces by using a comma-separated list.

  • Running snort in IPS mode 
    # snort --daq-dir=/usr/local/lib/daq --daq pfring_dna  -i dnaX:dnaY -e -Q

    Note that it is possible to specify multiple interface pairs by using a comma-separated list.

 

Example of Symmetric RSS + Core Binding

  • IDS 
    snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/dna2_dna3/instance-1 
  --daq-dir=/usr/local/lib/daq --daq pfring_dna --daq-mode passive -i dna2:dna3 --daq-var idsbridge=1 --daq-var bindcpu=1
  • IPS 
    snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/dna2_dna3/instance-1 
  --daq-dir=/usr/local/lib/daq --daq pfring_dna --daq-mode inline -i dna2:dna3 --daq-var bindcpu=1
  • IDS with Multiqueue and Symmetric RSS 
    snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/dna2_dna3/instance-1 
  --daq-dir=/usr/local/lib/daq --daq pfring_dna --daq-mode passive -i dna2@0:dna3@0 --daq-var idsbridge=1 --daq-var bindcpu=0
snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/dna2_dna3/instance-2 
  --daq-dir=/usr/local/lib/daq --daq pfring_dna --daq-mode passive -i dna2@1:dna3@1 --daq-var idsbridge=1 --daq-var bindcpu=1
snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/dna2_dna3/instance-3 
  --daq-dir=/usr/local/lib/daq --daq pfring_dna --daq-mode passive -i dna2@2:dna3@2 --daq-var idsbridge=1 --daq-var bindcpu=2
    snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/dna2_dna3/instance-4 
  --daq-dir=/usr/local/lib/daq --daq pfring_dna --daq-mode passive -i dna2@3:dna3@3 --daq-var idsbridge=1 --daq-var bindcpu=3
  • IPS with Multiqueue and Symmetric RSS 
    snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/dna2_dna3/instance-1 
  --daq-dir=/usr/local/lib/daq --daq pfring_dna --daq-mode inline -i dna2@0:dna3@0 --daq-var bindcpu=0
snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/dna2_dna3/instance-2 
  --daq-dir=/usr/local/lib/daq --daq pfring_dna --daq-mode inline -i dna2@1:dna3@1 --daq-var bindcpu=1
snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/dna2_dna3/instance-3 
  --daq-dir=/usr/local/lib/daq --daq pfring_dna --daq-mode inline -i dna2@2:dna3@2 --daq-var bindcpu=2
snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/dna2_dna3/instance-4 
  --daq-dir=/usr/local/lib/daq --daq pfring_dna --daq-mode inline -i dna2@3:dna3@3 --daq-var bindcpu=3
    

    • 



 


PF_RING DAQ Specific Options




    

  • Binding an instance to a core grants snort instances not to step on each other’s feet. In order to bind an instance to a specific core do:

     --daq-var bindcpu=<core id>
    

     
    • 

  • IDS forwarding: if you want to forward incoming packets while snort is running in IDS mode, you can enable the ids bridge mode with:

     --daq-var idsbridge=1
    

    •