Snort mailing list archives
pf_ring and snort
From: James <snort () cyclohexane net>
Date: Mon, 19 Oct 2015 15:27:58 +0100
Hi all, I'm attempting to make a set of instructions in advance of getting the actual server to unleash it upon. The server will be RHEL 6.5 with a 10gb intel nic, which I'd like to put snort in IDS mode on. I think I'm correct that pf_ring is a "good thing", so I'd like to use that. I've spent days trawling the web but have found lots of conflicting guides which have confused as much as helped me. Could I ask someone to scan these steps and tell me if I've missed something vital, done it in the wrong order or otherwise done something stupid please? Your help is much appreciated. The short version: - Use yum to obtain a variety of things the subsequent steps depend on - Use git to obtain pf_ring and install it - Install the pf_ring ZC 10gb intel driver - Get and install libdnet from source - Get and install the snort daq from source - Get and install snort from source - Install the pf_ring daq module - Start snort with some relevant pf_ring zc parameters - If that works, next steps configuring snort and barnyard The long version: sudo yum -y install wget git kernel-devel libtool subversion automake make autoconf pcre-devel libpcap-devel libpcap flex bison byacc gcc gcc-c++ zlib-devel numactl numactl-devel sudo yum install "kernel-devel-uname-r == $(uname -r)" git clone https://github.com/ntop/PF_RING.git cd PF_RING/kernel make sudo make install sudo insmod ./pf_ring.ko cd ../userland make cd ../drivers/PF_RING_aware/intel/ixgbe/ixgbe-4.1.2-zc/src make ./load_driver.sh wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz tar zxvf libdnet-1.12.tgz cd libdnet-1.12 ./configure; make; sudo make install wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz tar xvfz daq-2.0.6.tar.gz cd daq-2.0.6 ./configure; make; sudo make install wget https://www.snort.org/downloads/snort/snort-2.9.7.6.tar.gz tar xvfz snort-2.9.7.6.tar.gz cd snort-2.9.7.6 ./configure --enable-sourcefire -enable-reload; make; sudo make install cd PF_RING/userland/snort/pfring-daq-module-zc autoreconf -ivf ./configure make sudo make install snort --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i zc:eth1 --daq-var clusterid=1 -v -e
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- pf_ring and snort James (Oct 19)
- Re: pf_ring and snort Richard Monk (Oct 20)