IPS mode using PF_RING

IPS mode using PF_RING

PF_RING is a Linux network socket that use NAPI to copy packets from the NIC to the PF_RING circular buffer, and then the user space application reads packets from the ring.


For servers with physical network adapters you can use ZC, Napatech, Myricom, Linux TCP/IP Stack injection, Sysdig, Link Aggregation, Libzero consumer, DAG, DNA modules. You can also leverage PF_RING with ZC on a KVM virtual machine.

To enable IPS mode using vanilla ``PF_RING``:

  1. Install PF_RING packages:

    sudo apt-get install build-essential bison flex linux-headers-$(uname -r) libnuma-dev
  2. Download the latest PF_RING library, extract, and build the library:

    wget http://sourceforge.net/projects/ntop/files/PF_RING/PF_RING-6.2.0.tar.gz
    tar -xvzf PF_RING-6.2.0.tar.gz
    cd PF_RING-6.2.0/
    cd kernel; sudo make install
    cd ../userland/lib; sudo make install
    cd ../userland/libpcap; ./configure; make
    sudo cp libpcap* /usr/local/lib/; sudo cp pcap.h /usr/local/include/


    Verify that new libpcap library can be found by Suricata when configuring. For example, in /usr/local/lib/. Otherwise, you will see the following warning message:

    WARNING! libcap-ng library not found
  3. Verify that the PF_RING Linux kernel module has been successfully loaded:

    modinfo pf_ring
    cat /proc/net/pf_ring/info
  4. Configure Suricata with --enable-pfring option and path to libs and include headers. For example:

    LIBS="-lrt -lnuma"
    ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
    --enable-pfring --with-libpfring-includes=/usr/local/include \
  5. Build and install Suricata:

    sudo make install-full
  6. Run Suricata with PF_RING:

    sudo suricata --pfring-int=eth0 --pfring-cluster-id=99 \
    --pfring-cluster-type=cluster_flow \
    -c /etc/suricata/suricata.yaml -D
  7. Tune up PF_RING in suricata.yaml, if necessary. The eth0 interface is enabled by default:

    - interface: eth0
    threads: 1
    cluster-id: 99
    cluster-type: cluster_flow
  8. Test Suricata in IDS mode:

    1. Create /etc/suricata/rules/test.rules file and write the following rule:

      alert http any any -> any any (msg:"Alarm detected"; content:"Alarm";
      nocase; classtype:policy-violation; sid:1; rev:1;)
    2. Add test.rules to a list of rules in the suricata.yaml configuration file.

    3. Start Suricata manually in a daemon mode:

      sudo suricata --pfring-int=eth0 --pfring-cluster-id=99 \
      --pfring-cluster-type=cluster_flow \
      -c /etc/suricata/suricata.yaml -D

      Or update the active ruleset without rebooting Suricata:

      sudo kill -USR2 <suricata pid>
    4. Verify that suricata.log contains no errors after Suricata starts up:

      tail -f /etc/suricata/suricata.log
    5. Make any HTTP request with the word Alarm. For example:

      curl http://google.com/Alarm
    6. View the fast.log to verify if Suricata generated the alert message: Alarm detected:

      tail -f /etc/suricata/fast.log