[Snort-users] Question

Will Metcalf william.metcalf at ...11827...
Mon Jul 25 14:21:50 EDT 2011


I don't know why you wouldn't go the extra step to build PF_RING daq,
but still compile PF_RING enabled libpcap. However if you are in this
position you can actually assign cluster id and type from env vars in
libpcap via PCAP_PF_RING_CLUSTER_ID and
PCAP_PF_RING_USE_CLUSTER_PER_FLOW.

Regards,

Will

On Mon, Jul 25, 2011 at 12:30 PM, Martin Holste <mcholste at ...11827...> wrote:
>> Good info. I am running in AC.  For now I am running without the buffers. I'll take the packet loss over having snort stop running. I guess I will reevaluate my rule set to get that trimmed up.....until snort can multi thread....God I can't wait until that.
>>
> Good news!  Even though Snort itself is single threaded, PF_RING has
> software load-balancing capabilities which will allow you to run it as
> if it were multi-threaded.  Here's the glossed-over version of the
> howto:
>
> 1. Get PF_RING with the snort daq included
>  svn co https://svn.ntop.org/svn/ntop/trunk/PF_RING/
> 2. Compile the daq (assuming PF_RING installed to /opt/PF_RING)
>  ./configure --with-pic --with-libpcap-includes=/opt/PF_RING/include
> CFLAGS=-lpthread -lpfring -lpcap -D_GNU_SOURCE && make && make install
> 3. Add the following to your snort.conf:
>  config daq: pfring
>  config daq_dir: /usr/local/lib/daq
>  config daq_var: clusterid=44 (this can be any number < 255)
> 4. Start snort with a shell script wrapper like this (assuming you
> have 8 CPU's and you are sniffing eth2):
> #!/bin/sh
> for COUNTER in 0 1 2 3 4 5 6 7; do
>        mkdir /tmp/snort$COUNTER
>        kill $(cat /tmp/snort$COUNTER/snort_eth2.pid)
>        sleep 5;
>        /usr/local/snort/bin/snort -c /etc/snort/snort.conf
> --pid-path=/tmp/snort$COUNTER -l /tmp/snort$COUNTER --daq-var
> bindcpu=$COUNTER -D &
> done
> 5. Profit
>
> ------------------------------------------------------------------------------
> Storage Efficiency Calculator
> This modeling tool is based on patent-pending intellectual property that
> has been used successfully in hundreds of IBM storage optimization engage-
> ments, worldwide.  Store less, Store more with what you own, Move data to
> the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please see http://www.snort.org/docs for documentation
>




More information about the Snort-users mailing list