Monday, July 25, 2011

Running a load-balanced Snort in a PF_RING cluster

Even though Snort itself is single threaded, PF_RING has software load-balancing capabilities which will allow you to run it as if it were multi-threaded.  Here's the glossed-over version of the howto:

Note: By default, PF_RING ships with CLUSTER_LEN=8, which means only 8 processes can participate in a cluster.  If you have more than 8 cores and want to increase this amount, you will need to edit the source code for the PF_RING kernel module (<PF_RING_SRC>/kernel/linux/pf_ring.h and change #define CLUSTER_LEN 8 to 16 (or however many cores you have).  Then re-install the module (make && make install) and rmmod pf_ring && modprobe pf_ring to activate the new one.

1. Get PF_RING with the snort daq included
  svn co
2. Compile the daq (assuming PF_RING installed to /opt/PF_RING)
  ./configure --with-pic --with-libpcap-includes=/opt/PF_RING/include CFLAGS=-lpthread -lpfring -lpcap -D_GNU_SOURCE && make && make install
3. Add the following to your snort.conf:
config daq: pfring
config daq_dir: /usr/local/lib/daq
config daq_var: clusterid=44 (this can be any number < 255)
4. Start snort with a shell script wrapper like this (assuming you have 8 CPU's and you are sniffing eth2):
for COUNTER in 0 1 2 3 4 5 6 7; do
mkdir /tmp/snort$COUNTER
kill $(cat /tmp/snort$COUNTER/
sleep 5;
/usr/local/snort/bin/snort -c /etc/snort/snort.conf --pid-path=/tmp/snort$COUNTER -l /tmp/snort$COUNTER --daq-var bindcpu=$COUNTER -D &
5. Profit