libcrack.so – non-sleep thinking

PF_RING + intel igb + snort + DAQ on debian

21.09.2012 (3:12 pm) – Filed under: linux,snort ::

In this article, I’m going to resume the steps to have a full packet capture solution with snort IDS and Intel NIC’s.

This solutions is based on Luca Deri’s software PF_RING, a new type of socket to exploit the capabilities of packet capture and snort.

We will follow these steps

  1. Download and compile PF_RING
  2. Compile the PF_RING aware network driver
  3. Compile the libpcap
  4. Download and compile DAQ
  5. Compile PF_RING DAQ module
  6. Download and compile snort agains DAQ

First, download the required debian packages (kernel headers and compilers)

Snort:~ # apt-get install build-essential \
                          linux-headers-$(uname -r) \
                          bison \
                          flex \
                          dh-autoreconf

First, checkout PF_RING source code from https://svn.ntop.org/svn/ntop/trunk/PF_RING/

Snort:~ # svn co https://svn.ntop.org/svn/ntop/trunk/PF_RING/
A    PF_RING/README.DNA
A    PF_RING/drivers
A    PF_RING/drivers/Makefile
.
.
.
A    PF_RING/userland/examples/pcap2nspcap.c
A    PF_RING/userland/examples/pffilter_test.c
A    PF_RING/userland/examples/pwrite.c
Checked out revision 5696.
Snort:~ # 

Then, cd into PF_RING and type “make” to start the build. When Compiling, if you get the following error:

/usr/local/src/PF_RING/drivers/PF_RING_aware/intel/igb/igb-3.4.7/src/igb_main.c:197: error: implicit declaration of function 'SET_RUNTIME_PM_OPS'
/usr/local/src/PF_RING/drivers/PF_RING_aware/intel/igb/igb-3.4.7/src/igb_main.c:200: error: initializer element is not constant
/usr/local/src/PF_RING/drivers/PF_RING_aware/intel/igb/igb-3.4.7/src/igb_main.c:200: error: (near initialization for 'igb_pm_ops.suspend_noirq')

Just compile with CFLAG_EXTRA=-DDISABLE_PM

Snort:~/PF_RING # make CFLAGS_EXTRA=-DDISABLE_PM

After building, install the kernel module and userland software with “cd kernel && make install && cd ../userland/lib && make install”

Snort:~/PF_RING # cd kernel && make install && cd ../userland/lib && make install
mkdir -p /lib/modules/2.6.32-5-amd64/kernel/net/pf_ring
cp *.ko /lib/modules/2.6.32-5-amd64/kernel/net/pf_ring
cp linux/pf_ring.h /usr/include/linux
/sbin/depmod 2.6.32-5-amd64
ar x libs/libpfring_zero_x86_64.a
ar x libs/libpfring_dna_x86_64.a
ar x libs/libpfring_mod_virtual_x86_64.a
=*= making library libpfring.a =*=
ar rs libpfring.a pfring.o pfring_mod.o pfring_utils.o pfring_mod_usring.o pfring_hw_filtering.o pfring_dna_bouncer.o pfring_mod_dna_cluster.o pfring_dna_cluster.o pfring_libzero.o  pfring_mod_dna.o pfring_dna.o pfring_e1000e_dna.o pfring_ixgbe_dna.o pfring_igb_dna.o pfring_dna_v2.o silicom_ts.o pfring_dna_utils.o  pfring_mod_virtual.o  
ranlib libpfring.a
mkdir -p //usr/local/include
cp pfring.h //usr/local/include/
mkdir -p //usr/local/lib
cp libpfring.a //usr/local/lib/
=*= making library libpfring.so =*=
gcc -g -shared pfring.o pfring_mod.o pfring_utils.o pfring_mod_usring.o pfring_hw_filtering.o pfring_dna_bouncer.o pfring_mod_dna_cluster.o pfring_dna_cluster.o pfring_libzero.o  pfring_mod_dna.o pfring_dna.o pfring_e1000e_dna.o pfring_ixgbe_dna.o pfring_igb_dna.o pfring_dna_v2.o silicom_ts.o pfring_dna_utils.o  pfring_mod_virtual.o   -lpthread  -o libpfring.so
mkdir -p //usr/local/lib
cp libpfring.so //usr/local/lib/
Snort:~/PF_RING/userland/lib #

Now, insert the pf_ring module into the kernel

Snort:~/PF_RING/userland/lib # cd ~/PF_RING/
Snort:~/PF_RING # insmod ./kernel/pf_ring.ko
Snort:~/PF_RING # 
Snort:~/PF_RING # lsmod | grep ring
pf_ring               345240  0 
Snort:~/PF_RING # 

The information regarding pf_ring can be found on /proc/net/pf_ring. Every process using pf_ring will have a stats file located in /proc/net/pf_ring/[pid]-[interface].
Every NIC using pf_ring will have a info file located in /proc/net/pf_ring/dev/ethX/info

Snort:~/PF_RING # cat /proc/net/pf_ring/info 
PF_RING Version     : 5.4.6 ($Revision: 5696$)
Ring slots          : 4096
Slot version        : 14
Capture TX          : Yes [RX+TX]
IP Defragment       : No
Socket Mode         : Standard
Transparent mode    : Yes (mode 0)
Total rings         : 0
Total plugins       : 0
Snort:~/PF_RING # 
Snort:~/PF_RING # 

Now, compile the PF_RING aware ethernet driver


I have a pair of Intel NIC’s which use the igb driver, so I “cd” into the igb PF_RING aware driver directory and compile it.

Snort:~ #  lspci | grep Ethernet06:00.0 Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01)
06:00.1 Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01)
07:00.0 Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01)
Snort:~ # 
Snort:~ # cd ~/PF_RING/drivers/PF_RING_aware/intel/igb/igb-3.4.7/src
Snort:~/PF_RING/drivers/PF_RING_aware/intel/igb/igb-3.4.7/src #
Snort:~/PF_RING/drivers/PF_RING_aware/intel/igb/igb-3.4.7/src # make install CFLAGS_EXTRA=-DDISABLE_PM

Now, time to install libpcap (It was compiled with the first “make” command we issued)

Snort:~ # cd PF_RING/userland/libpcap
Snort:~/PF_RING/userland/libpcap # make install
Snort:~/PF_RING/userland/libpcap # 

Now, download daq-1.1.1 from snort.org and compile it.

Snort:~ # tar xzf daq-1.1.1.tar.gz
Snort:~ # cd daq-1.1.1
Snort:~/daq-1.1.1 # ./configure && make && make install
Snort:~/daq-1.1.1 # 

Now, time to compile the pfring daq module for snort.

Snort:~/PF_RING/userland/snort/pfring-daq-module # autoreconf -ivf
Snort:~/PF_RING/userland/snort/pfring-daq-module # ./configure
Snort:~/PF_RING/userland/snort/pfring-daq-module # make

Now, time to compile snort against PF_RING DAQ. Maybe you will need to install libpcre3-dev if snort ./configure complains about “pcre-config”; same as libdumbnet-dev if ./configure complains about dumbnet.h

Snort:~ # cd snort-2.9.2.2
Snort:~/snort-2.9.2.2 # ./configure --enable-dynamicplugin --enable-perfprofiling --enable-zlib --enable-reload  --enable-normalizer --enable-perfprofiling --enable-prelude --enable-targetbased --enable-decoder-preprocessor-rules --enable-dynamicplugin --enable-mpls --enable-ppm --enable-active-response --enable-reload --enable-react --enable-flexresp3 --without-mysql --without-postgresql  --enable-gre --enable-sourcefire --enable-flexresp3 --enable-pthread --enable-linux-smp-stats --enable-mpls --enable-shared-rep --enable-control-socket
Snort:~/snort-2.9.2.2 # make
Snort:~/snort-2.9.2.2 # make install

and Voilá! :-)

The bad point is: if you wanna run a 0% packet loss IDS at 1Gbps, you will need to pay for a license of Luca Deri’s DNA software. Tests I have made shows PF_RING’s 90% packet loss at 1Gbps with the NAPI/TNAPI polling mode. :-(

I would like to test the BSD+netmap performance with snort.

Comments are closed.