PF_RING
is a Linux network socket that use NAPI to copy packets from
the NIC to the PF_RING
circular buffer, and then the user space
application reads packets from the ring.
Note
For servers with physical network adapters you can use ZC, Napatech, Myricom, Linux TCP/IP Stack injection, Sysdig, Link Aggregation, Libzero consumer, DAG, DNA modules. You can also leverage PF_RING with ZC on a KVM virtual machine.
To enable IPS mode using vanilla ``PF_RING``:
Install PF_RING
packages:
sudo apt-get install build-essential bison flex linux-headers-$(uname -r) libnuma-dev
Download the latest PF_RING
library, extract, and build the library:
wget http://sourceforge.net/projects/ntop/files/PF_RING/PF_RING-6.2.0.tar.gz
tar -xvzf PF_RING-6.2.0.tar.gz
cd PF_RING-6.2.0/
make
cd kernel; sudo make install
cd ../userland/lib; sudo make install
cd ../userland/libpcap; ./configure; make
sudo cp libpcap* /usr/local/lib/; sudo cp pcap.h /usr/local/include/
Note
Verify that new libpcap library can be found by Suricata when configuring.
For example, in /usr/local/lib/
. Otherwise, you will see the following
warning message:
WARNING! libcap-ng library not found
Verify that the PF_RING Linux kernel module has been successfully loaded:
modinfo pf_ring
cat /proc/net/pf_ring/info
Configure Suricata with --enable-pfring
option and path to libs and
include headers. For example:
LIBS="-lrt -lnuma"
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--enable-pfring --with-libpfring-includes=/usr/local/include \
--with-libpfring-libraries=/usr/local/lib
Build and install Suricata:
make
sudo make install-full
Run Suricata with PF_RING
:
sudo suricata --pfring-int=eth0 --pfring-cluster-id=99 \
--pfring-cluster-type=cluster_flow \
-c /etc/suricata/suricata.yaml -D
Tune up PF_RING
in suricata.yaml
, if necessary.
The eth0
interface is enabled by default:
pfring:
- interface: eth0
threads: 1
cluster-id: 99
cluster-type: cluster_flow
Test Suricata in IDS mode:
Create /etc/suricata/rules/test.rules
file and write
the following rule:
alert http any any -> any any (msg:"Alarm detected"; content:"Alarm";
nocase; classtype:policy-violation; sid:1; rev:1;)”
Add test.rules
to a list of rules in the suricata.yaml
configuration file.
Start Suricata manually in a daemon mode:
sudo suricata --pfring-int=eth0 --pfring-cluster-id=99 \
--pfring-cluster-type=cluster_flow \
-c /etc/suricata/suricata.yaml -D
Or update the active ruleset without rebooting Suricata:
sudo kill -USR2 <suricata pid>
Verify that suricata.log
contains no errors after Suricata starts up:
tail -f /etc/suricata/suricata.log
Make any HTTP request with the word Alarm
.
For example:
curl http://google.com/Alarm
View the fast.log
to verify if Suricata generated the alert message:
Alarm detected
:
tail -f /etc/suricata/fast.log