[Snort-users] Multiple Snort Instances - One Interface

Will Metcalf william.metcalf at ...11827...
Fri Oct 29 14:40:08 EDT 2010

Ahhh James Thorton you found the marble in the oatmeal your a lucky
lucky lucky little boy because you wanna know why you get to drink
from the IDS FIREHOSE!!!
Butchering quotes for Weird Al Yankovic's masterpiece UHF aside, this
now possible with the version of PF_RING in SVN. It should be noted
that the code is probably still of beta quality.  Luca Deri did a lot
of awesome work developing a PF_RING aware DAQ module.  I helped a bit
by adding support for load balancing based on flow via PF_RING
clusters and setting per process affinity.  It is incomplete at the
moment i.e. last time a checked it didn't have support for filtering
packets.  Additionally code should probably added to allow a list of
processes to be added to the cpu set. If you want to check it out you
can follow instructions here on building PF_RING as a dkms module.


Additionally you will have to build PF_RING aware daq by going into
the daq-0.2 dir and doing the following

./configure --with-libpfring-libraries=/opt/PF_RING/lib
--prefix=/opt/PF_RING && make && sudo make install

Then download snort 2.9.0 and build with the following params.

PATH="/opt/PF_RING/bin:$PATH" ./configure --enable-perfprofiling
--prefix=/opt/PF_RING && make && make install

/opt/PF_RING/bin/snort -c etc/snort.conf --pid-path=./log2 -D --daq
pfring -i eth1 --daq-var clusterid=44 --daq-var bindcpu=1 -l ./log1
/opt/PF_RING/bin/snort -c etc/snort.conf --pid-path=./log3 -D --daq
pfring -i eth1 --daq-var clusterid=44 --daq-var bindcpu=2 -l ./log2
/opt/PF_RING/bin/snort -c etc/snort.conf --pid-path=./log4 -D --daq
pfring -i eth1 --daq-var clusterid=44 --daq-var bindcpu=3 -l ./log3

You will then have traffic load balanced across multiple snort
processes based on flow. Enjoy drinking from the ids firehose ;-)...
Also, you could also always checkout other err ummm open source IDS
projects that support this functionality natively ;-)



On Fri, Oct 29, 2010 at 12:48 PM, James Thornton
<james.f.thornton at ...11827...> wrote:
> I could be mistaken, but believe you need the TNAPI driver with PF_RING to
> accomplish this.  TNAPI driver is roughly $400.  That is outside of my
> budget at the moment.
> Thanks,
> Jim T
> On Fri, Oct 29, 2010 at 1:30 PM, Will Metcalf <william.metcalf at ...14542....>
> wrote:
>> Whats wrong with using PF_RING to do this? ;-)
>> Regards,
>> Will
>> On Fri, Oct 29, 2010 at 8:38 AM, James Thornton
>> <james.f.thornton at ...11827...> wrote:
>> > All -
>> >
>> > On my quad core system, I would like to load-balance traffic from a
>> > single
>> > Ethernet device across two or four Snort processes.  Has anyone on the
>> > list
>> > accomplished this in the past?  Aside from the PF_RING library, I've had
>> > no
>> > success on Internet searches for load balancing software modules that
>> > provide this capability.  Any guidance from the group would be
>> > appreciated.
>> >
>> > Thank You,
>> >
>> > Jim T
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > Nokia and AT&T present the 2010 Calling All Innovators-North America
>> > contest
>> > Create new apps & games for the Nokia N8 for consumers in  U.S. and
>> > Canada
>> > $10 million total in prizes - $4M cash, 500 devices, nearly $6M in
>> > marketing
>> > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
>> > http://p.sf.net/sfu/nokia-dev2dev
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >

More information about the Snort-users mailing list