1. Home
  2. MCP Security Best Practices
  3. Use cases
  4. IDPS Suricata deployment as a VNF on OpenStack with OpenContrail
  5. IPS mode
  6. IPS mode using PF_RING

IPS mode using PF_RING

IPS mode using PF_RING

PF_RING is a Linux network socket that use NAPI to copy packets from the NIC to the PF_RING circular buffer, and then the user space application reads packets from the ring.

Note

For servers with physical network adapters you can use ZC, Napatech, Myricom, Linux TCP/IP Stack injection, Sysdig, Link Aggregation, Libzero consumer, DAG, DNA modules. You can also leverage PF_RING with ZC on a KVM virtual machine.

To enable IPS mode using vanilla ``PF_RING``:

  1. Install PF_RING packages:

    sudo apt-get install build-essential bison flex linux-headers-$(uname -r) libnuma-dev

  2. Download the latest PF_RING library, extract, and build the library:

    wget http://sourceforge.net/projects/ntop/files/PF_RING/PF_RING-6.2.0.tar.gz
tar -xvzf PF_RING-6.2.0.tar.gz
cd PF_RING-6.2.0/
make
cd kernel; sudo make install
cd ../userland/lib; sudo make install
cd ../userland/libpcap; ./configure; make
sudo cp libpcap* /usr/local/lib/; sudo cp pcap.h /usr/local/include/

    Note

    Verify that new libpcap library can be found by Suricata when configuring. For example, in /usr/local/lib/. Otherwise, you will see the following warning message:

    WARNING! libcap-ng library not found

  3. Verify that the PF_RING Linux kernel module has been successfully loaded:

    modinfo pf_ring
cat /proc/net/pf_ring/info

  4. Configure Suricata with --enable-pfring option and path to libs and include headers. For example:

    LIBS="-lrt -lnuma"
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--enable-pfring --with-libpfring-includes=/usr/local/include \
--with-libpfring-libraries=/usr/local/lib

  5. Build and install Suricata:

    make
sudo make install-full

  6. Run Suricata with PF_RING:

    sudo suricata --pfring-int=eth0 --pfring-cluster-id=99 \
--pfring-cluster-type=cluster_flow \
-c /etc/suricata/suricata.yaml -D

  7. Tune up PF_RING in suricata.yaml, if necessary. The eth0 interface is enabled by default:

    pfring:
- interface: eth0
threads: 1
cluster-id: 99
cluster-type: cluster_flow

  8. Test Suricata in IDS mode:

    1. Create /etc/suricata/rules/test.rules file and write the following rule:

      alert http any any -> any any (msg:"Alarm detected"; content:"Alarm";
nocase; classtype:policy-violation; sid:1; rev:1;)

    2. Add test.rules to a list of rules in the suricata.yaml configuration file.

    3. Start Suricata manually in a daemon mode:

      sudo suricata --pfring-int=eth0 --pfring-cluster-id=99 \
--pfring-cluster-type=cluster_flow \
-c /etc/suricata/suricata.yaml -D

      Or update the active ruleset without rebooting Suricata:

      sudo kill -USR2 <suricata pid>

    4. Verify that suricata.log contains no errors after Suricata starts up:

      tail -f /etc/suricata/suricata.log

    5. Make any HTTP request with the word Alarm. For example:

      curl http://google.com/Alarm

    6. View the fast.log to verify if Suricata generated the alert message: Alarm detected:

      tail -f /etc/suricata/fast.log

See also

updated: 2024-01-04 11:46