Skip to content

PF_RING + intel igb + snort + DAQ on debian

In this article, I’m going to resume the steps to have a full packet capture solution with snort IDS and Intel NIC’s.

This solutions is based on Luca Deri’s software PF_RING, a new type of socket to exploit the capabilities of packet capture and snort.

We will follow these steps

  1. Download and compile PF_RING
  2. Compile the PF_RING aware network driver
  3. Compile the libpcap
  4. Download and compile DAQ
  5. Compile PF_RING DAQ module
  6. Download and compile snort agains DAQ

First, download the required debian packages (kernel headers and compilers)

[shell]
Snort:~ # apt-get install build-essential \
linux-headers-$(uname -r) \
bison \
flex \
dh-autoreconf

[/shell]

First, checkout PF_RING source code from https://svn.ntop.org/svn/ntop/trunk/PF_RING/

[text]
Snort:~ # svn co https://svn.ntop.org/svn/ntop/trunk/PF_RING/
A PF_RING/README.DNA
A PF_RING/drivers
A PF_RING/drivers/Makefile
.
.
.
A PF_RING/userland/examples/pcap2nspcap.c
A PF_RING/userland/examples/pffilter_test.c
A PF_RING/userland/examples/pwrite.c
Checked out revision 5696.
Snort:~ #
[/text]

Then, cd into PF_RING and type “make” to start the build. When Compiling, if you get the following error:

[text]
/usr/local/src/PF_RING/drivers/PF_RING_aware/intel/igb/igb-3.4.7/src/igb_main.c:197: error: implicit declaration of function ‘SET_RUNTIME_PM_OPS’
/usr/local/src/PF_RING/drivers/PF_RING_aware/intel/igb/igb-3.4.7/src/igb_main.c:200: error: initializer element is not constant
/usr/local/src/PF_RING/drivers/PF_RING_aware/intel/igb/igb-3.4.7/src/igb_main.c:200: error: (near initialization for ‘igb_pm_ops.suspend_noirq’)
[/text]

Just compile with CFLAG_EXTRA=-DDISABLE_PM

[shell]
Snort:~/PF_RING # make CFLAGS_EXTRA=-DDISABLE_PM
[/shell]

After building, install the kernel module and userland software with “cd kernel && make install && cd ../userland/lib && make install”

[shell]
Snort:~/PF_RING # cd kernel && make install && cd ../userland/lib && make install
mkdir -p /lib/modules/2.6.32-5-amd64/kernel/net/pf_ring
cp *.ko /lib/modules/2.6.32-5-amd64/kernel/net/pf_ring
cp linux/pf_ring.h /usr/include/linux
/sbin/depmod 2.6.32-5-amd64
ar x libs/libpfring_zero_x86_64.a
ar x libs/libpfring_dna_x86_64.a
ar x libs/libpfring_mod_virtual_x86_64.a
=*= making library libpfring.a =*=
ar rs libpfring.a pfring.o pfring_mod.o pfring_utils.o pfring_mod_usring.o pfring_hw_filtering.o pfring_dna_bouncer.o pfring_mod_dna_cluster.o pfring_dna_cluster.o pfring_libzero.o pfring_mod_dna.o pfring_dna.o pfring_e1000e_dna.o pfring_ixgbe_dna.o pfring_igb_dna.o pfring_dna_v2.o silicom_ts.o pfring_dna_utils.o pfring_mod_virtual.o
ranlib libpfring.a
mkdir -p //usr/local/include
cp pfring.h //usr/local/include/
mkdir -p //usr/local/lib
cp libpfring.a //usr/local/lib/
=*= making library libpfring.so =*=
gcc -g -shared pfring.o pfring_mod.o pfring_utils.o pfring_mod_usring.o pfring_hw_filtering.o pfring_dna_bouncer.o pfring_mod_dna_cluster.o pfring_dna_cluster.o pfring_libzero.o pfring_mod_dna.o pfring_dna.o pfring_e1000e_dna.o pfring_ixgbe_dna.o pfring_igb_dna.o pfring_dna_v2.o silicom_ts.o pfring_dna_utils.o pfring_mod_virtual.o -lpthread -o libpfring.so
mkdir -p //usr/local/lib
cp libpfring.so //usr/local/lib/
Snort:~/PF_RING/userland/lib #
[/shell]

Now, insert the pf_ring module into the kernel

[shell]
Snort:~/PF_RING/userland/lib # cd ~/PF_RING/
Snort:~/PF_RING # insmod ./kernel/pf_ring.ko
Snort:~/PF_RING #
Snort:~/PF_RING # lsmod | grep ring
pf_ring 345240 0
Snort:~/PF_RING #
[/shell]

The information regarding pf_ring can be found on /proc/net/pf_ring. Every process using pf_ring will have a stats file located in /proc/net/pf_ring/[pid]-[interface].
Every NIC using pf_ring will have a info file located in /proc/net/pf_ring/dev/ethX/info

[shell]
Snort:~/PF_RING # cat /proc/net/pf_ring/info
PF_RING Version : 5.4.6 ($Revision: 5696$)
Ring slots : 4096
Slot version : 14
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes (mode 0)
Total rings : 0
Total plugins : 0
Snort:~/PF_RING #
Snort:~/PF_RING #
[/shell]

Now, compile the PF_RING aware ethernet driver

[shell]
[/shell]

I have a pair of Intel NIC’s which use the igb driver, so I “cd” into the igb PF_RING aware driver directory and compile it.

[shell]
Snort:~ # lspci | grep Ethernet06:00.0 Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01)
06:00.1 Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01)
07:00.0 Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01)
Snort:~ #
Snort:~ # cd ~/PF_RING/drivers/PF_RING_aware/intel/igb/igb-3.4.7/src
Snort:~/PF_RING/drivers/PF_RING_aware/intel/igb/igb-3.4.7/src #
Snort:~/PF_RING/drivers/PF_RING_aware/intel/igb/igb-3.4.7/src # make install CFLAGS_EXTRA=-DDISABLE_PM
[/shell]

Now, time to install libpcap (It was compiled with the first “make” command we issued)

[shell]
Snort:~ # cd PF_RING/userland/libpcap
Snort:~/PF_RING/userland/libpcap # make install
Snort:~/PF_RING/userland/libpcap #
[/shell]

Now, download daq-1.1.1 from snort.org and compile it.
[shell]
Snort:~ # tar xzf daq-1.1.1.tar.gz
Snort:~ # cd daq-1.1.1
Snort:~/daq-1.1.1 # ./configure && make && make install
Snort:~/daq-1.1.1 #
[/shell]

Now, time to compile the pfring daq module for snort.

[shell]
Snort:~/PF_RING/userland/snort/pfring-daq-module # autoreconf -ivf
Snort:~/PF_RING/userland/snort/pfring-daq-module # ./configure
Snort:~/PF_RING/userland/snort/pfring-daq-module # make
[/shell]

Now, time to compile snort against PF_RING DAQ. Maybe you will need to install libpcre3-dev if snort ./configure complains about “pcre-config”; same as libdumbnet-dev if ./configure complains about dumbnet.h

[shell]
Snort:~ # cd snort-2.9.2.2
Snort:~/snort-2.9.2.2 # ./configure –enable-dynamicplugin –enable-perfprofiling –enable-zlib –enable-reload –enable-normalizer –enable-perfprofiling –enable-prelude –enable-targetbased –enable-decoder-preprocessor-rules –enable-dynamicplugin –enable-mpls –enable-ppm –enable-active-response –enable-reload –enable-react –enable-flexresp3 –without-mysql –without-postgresql –enable-gre –enable-sourcefire –enable-flexresp3 –enable-pthread –enable-linux-smp-stats –enable-mpls –enable-shared-rep –enable-control-socket
Snort:~/snort-2.9.2.2 # make
Snort:~/snort-2.9.2.2 # make install
[/shell]

and Voilá! 🙂

The bad point is: if you wanna run a 0% packet loss IDS at 1Gbps, you will need to pay for a license of Luca Deri’s DNA software. Tests I have made shows PF_RING’s 90% packet loss at 1Gbps with the NAPI/TNAPI polling mode. 🙁

I would like to test the BSD+netmap performance with snort.

Published inlinux