[Snort-users] Myricom cards and multiple instances of Snort - how-to?

Y M snort at ...15979...
Sat Sep 5 12:56:37 EDT 2015




Comments inline.

> Date: Thu, 3 Sep 2015 12:01:06 -0400
> From: gl89 at ...1712...
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Myricom cards and multiple instances of Snort -	how-to?
> 
> Folks,
> 
> We have a set of listener hosts with Myricom cards and their Sniffer-10G 
> driver.
> 
Not familiar with Myricom cards :)
> In order to handle the quantity of traffic coming through, I need to 
> compile/configure/fold/spindle Snort into running multiple instances in 
> parallel per machine, and I'm not really getting how to do it. I've 
> compiled Snort 2.9.7.0 thus:
Multiple Snort instance need to be run at the same time, most probably within the startup script looping through based on the number of instances required. Make sure you have dedicate directories for each instance. If you have 3 instances of Snort, then you need to have something like:
Snort-1 --> Alerts --> /var/log/snort/snort-1Snort-2 --> Alerts --> /var/log/snort/snort-2Snort-3 --> Alerts --> /var/log/snort/snort-3
The same goes for Snort's own logs:
Snort-1 --> /var/snort/snort-1Snort-2 --> /var/snort/snort-2Snort-3 --> /var/snort/snort-3
Also, if you are using Barnyard2 to out to database, make sure each instance has unique sensor name in Barnyard2's configuration file.
> 
>    ./configure \
>      --with-libpcap-includes=/opt/snf
>      --with-libpcap-libraries=/opt/snf
>      --with-daq-includes=/usr/local/include
>      --with-daq-libraries=/usr/local/lib
>    make
>    make install
> 
> , but I suspect that I need to include PF_RING somehow, and can't figure 
> out the interplay between Snort, PF_RING, and the Sniffer-10G driver.
> 
What binaries were generated from compiling the Sniffer-10G driver? Network driver, libpcap, daq module? In PF_RING, the previous 3 binaries get generated and used with Snort. At least in 2013, someone mentioned that Myricom do not have native DAQ, see http://seclists.org/snort/2013/q3/316 (I suggest you go through the whole conversation, good info there). Do Myricom have native DAQ now?
One thing you can try - if Myricom do not have their own DAQ - is to use PF_RING's DAQ module. Once complied, the binaries will reside in /usr/local/lib/daq. It is unclear to me if Myricom's libpcap will play nicely with PF_RING's DAQ. Then you can pass the daq type and variables to Snort command in your startup script or in the configuration file.. 
> Would anyone out there with a similar deployment have any insights they 
> could share?
> 
> Thanks,
> -- 
> Glenn Forbes Fleming Larratt
> Cornell University IT Security Office
> 
> ------------------------------------------------------------------------------
> Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
> Get real-time metrics from all of your servers, apps and tools
> in one place.
> SourceForge users - Click here to start your Free Trial of Datadog now!
> http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150905/44c3945d/attachment.html>


More information about the Snort-users mailing list