Re: Myricom cards and multiple instances of Snort - how-to?

[Y M <snort () outlook com>]

Comments inline.

> Date: Thu, 3 Sep 2015 12:01:06 -0400
> From: gl89 () cornell edu
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Myricom cards and multiple instances of Snort -        how-to?
>
> Folks,
>
> We have a set of listener hosts with Myricom cards and their Sniffer-10G 
> driver.
Not familiar with Myricom cards :)
> In order to handle the quantity of traffic coming through, I need to 
> compile/configure/fold/spindle Snort into running multiple instances in 
> parallel per machine, and I'm not really getting how to do it. I've 
> compiled Snort 2.9.7.0 thus:
Multiple Snort instance need to be run at the same time, most probably within the startup script looping through based 
on the number of instances required. Make sure you have dedicate directories for each instance. If you have 3 instances 
of Snort, then you need to have something like:
Snort-1 --> Alerts --> /var/log/snort/snort-1Snort-2 --> Alerts --> /var/log/snort/snort-2Snort-3 --> Alerts --> 
/var/log/snort/snort-3
The same goes for Snort's own logs:
Snort-1 --> /var/snort/snort-1Snort-2 --> /var/snort/snort-2Snort-3 --> /var/snort/snort-3
Also, if you are using Barnyard2 to out to database, make sure each instance has unique sensor name in Barnyard2's 
configuration file.
>    ./configure \
>      --with-libpcap-includes=/opt/snf
>      --with-libpcap-libraries=/opt/snf
>      --with-daq-includes=/usr/local/include
>      --with-daq-libraries=/usr/local/lib
>    make
>    make install
>
> , but I suspect that I need to include PF_RING somehow, and can't figure 
> out the interplay between Snort, PF_RING, and the Sniffer-10G driver.
What binaries were generated from compiling the Sniffer-10G driver? Network driver, libpcap, daq module? In PF_RING, 
the previous 3 binaries get generated and used with Snort. At least in 2013, someone mentioned that Myricom do not have 
native DAQ, see http://seclists.org/snort/2013/q3/316 (I suggest you go through the whole conversation, good info 
there). Do Myricom have native DAQ now?
One thing you can try - if Myricom do not have their own DAQ - is to use PF_RING's DAQ module. Once complied, the 
binaries will reside in /usr/local/lib/daq. It is unclear to me if Myricom's libpcap will play nicely with PF_RING's 
DAQ. Then you can pass the daq type and variables to Snort command in your startup script or in the configuration 
file.. 
> Would anyone out there with a similar deployment have any insights they 
> could share?
>
> Thanks,
> -- 
> Glenn Forbes Fleming Larratt
> Cornell University IT Security Office
>
> ------------------------------------------------------------------------------
> Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
> Get real-time metrics from all of your servers, apps and tools
> in one place.
> SourceForge users - Click here to start your Free Trial of Datadog now!
> http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!