Inline Snort multiprocessing with PF_RING

Tested on CentOS 6

We have modified PF_RING to work with inline Snort (while still supporting the current passive multiprocessing functionality). PF_RING load balances the traffic to analyze by hashing the IP headers in multiple buckets. This allows it to spawn multiple instances of Snort, each processing a single bucket and achieve higher throughput through multiprocessing. In order to take full advantage of this, you need a multicore processor (like an I7 with 8 processing threads). This should also work well with dual or quad processor boards to increase parallelism even further.

The big deal is that now you can build really cheap IPS systems using standard off-the-shelf machines.
If you are interested in learning more, please contact us at support@metaflows.com

Here is the system we have ported PF_RING inline to:

Intel(R) Core(TM) i7 CPU 950 @ 3.07GHz, Dual Intel e1000e, 4 Gig RAM
PF_RING e1000e driver, transparent_mode=1
Snort 2.9.0.x using the 6765 Emerging Threats Pro Rules

etpro perf 1Gbps PF Ring Inline

Snort 2.9.0.x using the 5267 VRT Rules

vrt perf 1Gbps PF Ring Inline

As the graph illustrates, inline with 1 core can only sustain 100 Mbit/s or less (that’s what people get today). With Pfring inline we parallelize the inline processing on up to 8 cores thus achieving almost 700 Mbit/s sustained. Performance numbers are greatly affected by the type and number of Snort rules used and the type of traffic being sent through. However, it appears that no matter what your setup is, pfring inline with 8 cores should achieve 700-800Mbps sustained throughput with a approximately 200 microseconds latency. That is plenty performance!

We have created an archive containing all source code necessary to build the above system (CentOS 6 highly recommended) and an automated installation script that will save you hours. If you want to do everything from scratch, look at the Manual Instructions Section.

Automated Instructions

wget https://nsm.metaflows.com/linux.zip
unzip linux.zip
cd nsm
./setup.sh

At this point all software is installed (including Ntop) and all drivers are loaded. Now you can now choose to (1) run Snort on your own as you do today or (2) become a MetaFlows subscriber and try the MetaFlows Security System either as a community user (free) or as a commercial user ($99/month).

Use Snort on your own

#for i in `seq 0,<N>`; do /nsm/bin/snort-2.9.0/src/snort -c <yourconfig.com> -i <int1:int2> \
--daq-dir /usr/local/lib/daq --daq pfring --daq-var clusterid=10 --daq-mode inline -Q; done

Become a MetaFlows Subscriber

  1. Create an account at nsm.metaflows.com
  2. Go to sensors->add and configure a sensor using the web form; set your HOME_NET and either send the alerts to a syslog server and/or the MetaFlows DB (recommended); click Save
  3. Click on Generate and wait for the Pinguin icon to appear
  4. Go back to the machine where you did the setup and execute /nsm/etc/mss.sh start; enter your login information from step 1 and choose the sensor you configured in step 2.
  5. The Browser should now get a green light on the top right. Click on Real time and see Snort alerts, optionally flow data, and optionally Syslogs in your browser!

You life has now gotten a lot easier because of MetaFlows! Community users will get a taste of the Commercial User features (minus the ET Pro rules) for 14 days for Free. No smoke and mirrors; here is what you get:

Community User (always free; limited to 1 sensor)

  • Automatic rules updates (VRT or ET GPL rules)
  • Use the browser to manage any Snort configuration (including rules)
  • Snort, Flow and Syslog data in real time in your Browser!
  • PDF escalation reporting  and ticketing system
  • Receive automated email alerts
  • Network and event classification system
  • Detailed forensic analysis through your browser
  • Inline IPS or Active response; block particular hosts or application (inline or passive)
  • Sensor sharing to an unlimited number of users and online group collaboration

Commercial User (First 14 days free — $99/month/sensor after that)

  • 1 year of  storage and data mining of all Security Event Messages including all Syslog messages
  • Automatic, daily EmergingThreats Pro rules updates
  • Automatic, weekly security Intelligence updates from the SRI Malware Threat Center
  • Top ranking incident classification summary to easily find security problems
  • Automated and customizable daily reports
  • Priority customer support
  • Customizable Honeypots for internal security

Manual Instructions

  1. Download and install libdnet. You can download it here
  2. Install the following packages with yum install –package–

kernel-devel
libtool
subversion
automake
make
autoconf
pcre-devel
libpcap-devel
flex
bison
byacc
gcc
zlib-devel
gcc-c++

#Build the PF_RING inline libraries and kernel module:

#download our modified PF_RING source here

tar xvfz PF_RING.tgz
cd  PF_RING; make clean
cd kernel;
make clean; make; make install
cd ../userland/lib;
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib;
export LIBS='-L/usr/local/lib';
./configure;
make clean; make; make install
cd ../libpcap;
export LIBS='-L/usr/local/lib -lpfring -lpthread';
./configure;
make clean; make; make install;
make clean; make; make install-shared
ln -s /usr/local/lib/libpfring.so /usr/lib/libpfring.so
#Build the daq-0.5 libraries:

#downlaod daq-0.5 here

tar xvfz daq-0.5.tgz
cd daq-0.5;
chmod 755 configure;
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib;
export LIBS="-L/usr/local/lib -lpcap -lpthread"
./configure --disable-nfq-module --disable-ipq-module \
--with-libpcap-includes=/usr/local/include \
--with-libpcap-libraries=/usr/local/lib \
--with-libpfring-includes=/usr/local/include/ \
--with-libpfring-libraries=/usr/local/lib
make clean; make; make install

#Go back to the PF_RING directory and build the daq interface module

cd  PF_RING/userland/snort/pfring-daq-module;
autoreconf -ivf;
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib
export LIBS='-L/usr/local/lib -lpcap -lpfring -lpthread';
./configure; make; make install

# Build Snort 2.9.x #
cd snort-2.9.x;
make clean ;
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib;
export LIBS='-L/usr/local/lib -lpfring -lpthread'
./configure --with-libpcap-includes=/usr/local/includes \
--with-libpcap-libraries=/usr/local/lib \
--with-libpfring-includes=/usr/local/include/ \
--with-libpfring-libraries=/usr/local/lib \
--enable-zlib --enable-perfprofiling
make
make install

# Load PF_RING MODULE
####### ATTENTION #########
#The OS will try to load the pfring kernel module with default
#parameters anytime any application with pfring runs. The default parameters
#are wrong when running inline!!
#never run inline with tx_capture!!!!
#Therefore is always a good idea to remove pf_ring.ko and reload it with
the correct parameter before running inline.

rmmod pf_ring.ko
insmod pf_ring.ko enable_tx_capture=0
# Run Snort
# Run as many instances as your system can handle limited only to value of \
CLUSTER_LEN in PF_RING/kernel/linux/pf_ring.h at compile time (and your memory).
#Remember to replace the interfaces with ones appropriate for your instance.

ifconfig eth0 up
ifconfig eth1 up
snort -c snort.serv.conf -A console -y -i eth0:eth1 \
--daq-dir /usr/local/lib/daq --daq pfring --daq-var clusterid=10 \
--daq-mode inline -Q

If you want even faster performance (about 20% more) and you have one of the Ethernet interfaces in PF_RING/drivers, you can run in transparent mode 1. We have only extensively tested the e1000e driver and we know it is very reliable.
To use transparent mode 1 with an e1000e interface:

cd PF_RING/drivers/intel/e1000e/e1000e-1.3.10a/src;
make clean;
make;
make install
#Now you need to replace the e1000e module by either
#rebooting or removing the old one and reloading the new driver in
#/lib/modules/`uname -r`/kernel/drivers/net/e1000e/
#You also need to reload the pf_ring.ko module to enable transparent mode 1
#also increasing the buffer size for extra humf:
rmmod pf_ring.ko
insmod pf_ring.ko enable_tx_capture=0 transparent_mode=1 min_num_slots=16384

If you have any issues go to the metaflows google group for support.
————————————————————————————————————————————————————

FILES:
PF_RING.tgz
README
INFO.txt