%ICON{“tip”}% Most of the commands will require root. Run sudo su - to keep from having to add sudo to everything.

To view what driver you're using, use thelshw command. Look at theconfiguration line fordriver

lshw -class network

You can also install and use ethtool for more info on your adapter

apt-get install ethtool <br /> ethtool eth0

Download the current version of PF_RING<br /> http://sourceforge.net/projects/ntop/files/PF_RING/

Install the driver (browse to the proper directory for the desired driver underPF_RING_aware).

tar xvfz PF_RING-5.4.1.tar.gz
cd PF_RING-5.4.1/drivers/PF_RING_aware/intel/e1000/e1000-8.0.35/src/
make clean
make
make install

Adjustvmalloc variable so snort can load pfring.

• Edit/etc/default/grub
• Change the following line:<br /> GRUB_CMDLINE_LINUX_DEFAULT=“quiet splash”
• To:<br /> GRUB_CMDLINE_LINUX_DEFAULT=“quiet splash vmalloc=256m”

update-grub

This will require a reboot before you try to run Snort with pfring. You can do it now or after installing pfring aware drivers.

Install subversion, autoconf, and libtool

apt-get install subversion autoconf libtool

Download the current version of PF_RING<br /> http://sourceforge.net/projects/ntop/files/PF_RING/

tar xvfz PF_RING-5.4.1.tar.gz
cd  PF_RING-5.4.1
make clean
cd kernel
make clean
make
make install
cd ../userland/lib
export LD_LIBRARY_PATH''$LD_LIBRARY_PATH:/usr/local/lib
export LIBS'''-L/usr/local/lib'
./configure
make clean
make
make install
cd ../libpcap
export LIBS'''-L/usr/local/lib -lpfring -lpthread'
./configure
make clean
make
make install
make clean && make && make install-shared
ln -s /usr/local/lib/libpfring.so /usr/lib/libpfring.so

To check the status of PF_RING, run:<br /> modinfo pf_ring && cat /proc/net/pf_ring/info

If using as a passive IDS with e1000(e) driver:

rmmod pf_ring.ko
insmod pf_ring.ko enable_tx_capture''0 transparent_mode''1 min_num_slots''16384

Download the current version of DAQ<br /> http://www.snort.org/snort-downloads/

tar xvfz daq-0.6.2.tar.gz
cd daq-0.6.2
chmod 755 configure
export LD_LIBRARY_PATH''$LD_LIBRARY_PATH:/usr/local/lib
export LIBS''"-L/usr/local/lib -lpcap -lpthread"
./configure --disable-nfq-module --disable-ipq-module \
--with-libpcap-includes''/usr/local/include \
--with-libpcap-libraries''/usr/local/lib \
--with-libpfring-includes''/usr/local/include/ \
--with-libpfring-libraries''/usr/local/lib
make clean && make && make install

Go back to the PF_RING directory and build the daq interface module.

cd  PF_RING-5.4.1/userland/snort/pfring-daq-module
autoreconf -ivf
export LD_LIBRARY_PATH''$LD_LIBRARY_PATH:/usr/local/lib
export LIBS'''-L/usr/local/lib -lpcap -lpfring -lpthread'
./configure
make && make install

Download the current version of Snort<br /> http://www.snort.org/snort-downloads/

Compile and install (You can adjust some of the 'enable' options as per environment)

tar xvfz snort-2.9.2.3.tar.gz
cd snort-2.9.2.3
make clean
export LD_LIBRARY_PATH''$LD_LIBRARY_PATH:/usr/local/lib
export LIBS'''-L/usr/local/lib -lpcap -lpfring -lpthread'
./configure --with-libpcap-includes''/usr/local/includes \
--with-libpcap-libraries''/usr/local/lib \
--with-libpfring-includes''/usr/local/include/ \
--with-libpfring-libraries''/usr/local/lib \
--enable-zlib --enable-perfprofiling --enable-ipv6 \
--enable-gre --enable-mpls --enable-normalizer \
--enable-targetbased --enable-decoder-preprocessor-rules \
 --enable-reload
make
make install

Verify Snort can use the PF_RING DAQ module

snort --daq-dir''/usr/local/lib/daq --daq-list

You should see something similar to this:

Available DAQ modules:
pfring(v1): live inline multi unpriv
pcap(v3): readback live multi unpriv
ipfw(v2): live inline multi unpriv
dump(v1): readback live inline multi unpriv
afpacket(v4): live inline multi unpriv

Make sure you have thepfring line.

Here is an example of Snort running on 4 cores (2 per interface) in passive mode using pfring.

/usr/local/bin/snort -c /etc/snort/snort.conf -i eth2 --pid-path /var/run/log0 --daq-dir''/usr/local/lib/daq --daq pfring --daq-mode passive --daq-var clusterid''16 --daq-var bindcpu''0 -l /var/log/snort/log0 -D
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth3 --pid-path /var/run/log1 --daq-dir''/usr/local/lib/daq --daq pfring --daq-mode passive --daq-var clusterid''16 --daq-var bindcpu''1 -l /var/log/snort/log1 -D
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth2 --pid-path /var/run/log2 --daq-dir''/usr/local/lib/daq --daq pfring --daq-mode passive --daq-var clusterid''16 --daq-var bindcpu''2 -l /var/log/snort/log2 -D
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth3 --pid-path /var/run/log3 --daq-dir''/usr/local/lib/daq --daq pfring --daq-mode passive --daq-var clusterid''16 --daq-var bindcpu''3 -l /var/log/snort/log3 -D

This is a basic example of setting up a Layer 2 Etherchannel port on a Cisco device.

On the chassis after logging and enabling:

configure terminal
interface gigabitethernet1/1
no ip address
channel-group 19 mode on
exit
interface gigabitethernet1/2
no ip address
channel-group 19 mode on
exit
...
etc.
...
interface Port-channel19
no shutdown
exit
end

Here is how to set it as a SPAN session destination

monitor session 1 source tengigabitethernet2/1 both
monitor session 1 destination interface port-channel 19

• http://www.metaflows.com/technology/pf-ring/
• http://www.openinfosecfoundation.org/doc/INSTALL.PF_RING.txt
• http://www.ntop.org/pf_ring/using-pf_ring-with-snort-and-suricata-for-idsips-acceleration/
• https://svn.ntop.org/svn/ntop/trunk/PF_RING/drivers/
• https://svn.ntop.org/svn/ntop/trunk/PF_RING/userland/snort/pfring-daq-module/README.1st
• http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/channel.html
• http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/span.html
• http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/span.html

– Main.FredPettis - 2012-03-17