Inline Snort multiprocessing with PF_RING – Tested on CentOS 6 We have modified PF_RING to work with inline Snort (while still supporting the current passive multiprocessing functionality). PF_RING load balances the traffic to analyze by hashing the TCP/UDP headers in multiple buckets. This allows to spawn multiple instances of Snort each processing a single bucket and achieve higher throughput though multiprocessing. In order to take full advantage of this you need a multicore processor (like an I7 with 8 processing threads). This should also work well with dual or quad processor boards to increase parallelism even further. The big deal is that now you can build really cheap IPS systems using standard off-the-shelf machines. Here are is the system we have ported PF_RING inline to: Intel(R) Core(TM) i7 CPU 950 @ 3.07GHz PF_RING e1000e driver, transparent_mode=1 Snort 2.9.0.x using the SRI BotHunter Ruleset, in addition to the Emerging Threats Pro Ruleset Throughput: ~800Mbps Latency: ~200us We describe below how to build such a system on Linux CentOS 6. If you do not want to go through these steps we also provide this functionality through our community and commercial security system (MSS) all pre-packaged and ready to go. It would help us if you tried it and let us know what you think. Please install the following packages first. Most of these can be installed as: yum install –package– libdnet kernel-devel libtool subversion automake make autoconf pcre-devel libpcap-devel flex bison byacc gcc zlib-devel gcc-c++ #Build the PF_RING inline libraries and kernel module: #download our modified PF_RING source here tar xvfz pfring_inline.tgz cd PF_RING; make clean cd kernel; make clean; make; make install cd ../userland/lib; export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib; export LIBS=’-L/usr/local/lib’; ./configure; make clean; make; make install cd ../libpcap; export LIBS=’-L/usr/local/lib -lpfring -lpthread’; ./configure; make clean; make; make install; make clean; make; make install-shared ln -s /usr/local/lib/libpfring.so /usr/lib/libpfring.so #Build the daq-0.5 libraries: #downlaod daq-0.5 here tar xvfz daq-0.5.tgz cd daq-0.5; chmod 755 configure; export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib; export LIBS=’-L/usr/local/lib -lpcap -lpthread’ ./configure –disable-nfq-module –disable-ipq-module –with-libpcap-includes=/usr/local/include –with-libpcap-libraries=/usr/local/lib –with-libpfring-includes=/usr/local/include/ –with-libpfring-libraries=/usr/local/lib make clean; make; make install #Go back to the PF_RING directory and build the daq interface module cd PF_RING/userland/snort/pfring-daq-module; autoreconf -ivf; export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib export LIBS=’-L/usr/local/lib -lpcap -lpfring -lpthread’; ./configure; make; make install # Build Snort 2.9.0.x # cd snort-2.9.0.x;make clean ; export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib; export LIBS=’-L/usr/local/lib -lpfring -lpthread’ ./configure –with-libpcap-includes=/usr/local/includes –with-libpcap-libraries=/usr/local/lib –with-libpfring-includes=/usr/local/include/ –with-libpfring-libraries=/usr/local/lib –enable-zlib –enable-perfprofiling make make install # Load PF_RING MODULE #never run inline with tx_capture!!!! insmod pf_ring.ko enable_tx_capture=0 # Run Snort # # Run as many instances as your system can handle limited only to value of CLUSTER_LEN in PF_RING/kernel/linux/pf_ring.h at compile time (and your memory). #Remember to replace the interfaces with ones appropriate for your instance. ifconfig eth0 up ifconfig eth1 up snort -c snort.serv.conf -A console -y -i eth0:eth1 –daq-dir /usr/local/lib/daq –daq pfring –daq-var clusterid=10 –daq-mode inline -Q