Monday, July 25, 2011

Running a load-balanced Snort in a PF_RING cluster

Even though Snort itself is single threaded, PF_RING has software load-balancing capabilities which will allow you to run it as if it were multi-threaded.  Here's the glossed-over version of the howto:

Note: By default, PF_RING ships with CLUSTER_LEN=8, which means only 8 processes can participate in a cluster.  If you have more than 8 cores and want to increase this amount, you will need to edit the source code for the PF_RING kernel module (<PF_RING_SRC>/kernel/linux/pf_ring.h and change #define CLUSTER_LEN 8 to 16 (or however many cores you have).  Then re-install the module (make && make install) and rmmod pf_ring && modprobe pf_ring to activate the new one.

1. Get PF_RING with the snort daq included
  svn co
2. Compile the daq (assuming PF_RING installed to /opt/PF_RING)
  ./configure --with-pic --with-libpcap-includes=/opt/PF_RING/include CFLAGS=-lpthread -lpfring -lpcap -D_GNU_SOURCE && make && make install
3. Add the following to your snort.conf:
config daq: pfring
config daq_dir: /usr/local/lib/daq
config daq_var: clusterid=44 (this can be any number < 255)
4. Start snort with a shell script wrapper like this (assuming you have 8 CPU's and you are sniffing eth2):
for COUNTER in 0 1 2 3 4 5 6 7; do
mkdir /tmp/snort$COUNTER
kill $(cat /tmp/snort$COUNTER/
sleep 5;
/usr/local/snort/bin/snort -c /etc/snort/snort.conf --pid-path=/tmp/snort$COUNTER -l /tmp/snort$COUNTER --daq-var bindcpu=$COUNTER -D &
5. Profit

Thursday, July 7, 2011

ELSA VMware Appliance Available

Peter over at Balabit has graciously offered a place to host a VM for ELSA.  You can download it at .  It is a fully-functional ELSA installation running on Ubuntu 10.04 LTS.  It will start all necessary services to begin recording and viewing logs and provides a good way to see what ELSA is all about without a major time investment.  Please note that performance-wise, a VM will not be ideal, but it should be enough for interested readers to get a look at what ELSA can do.  The user name for the VM is "elsa" and pass is "biglog" .  I've included an SVN update script in the tarball now, so if you want to make sure the ELSA installation is current, you can run /usr/local/elsa/contrib/ and then execute "service elsa restart."  Please let me know if you run into any issues or have any comments!