Load balanced Snort
As I had mentioned earlier about snort that it lacks multi-threading therefore other ways have to figured out to assure that required bandwidth is met.
I finally figured out that pf_ring is inherently capable of performing flow based packet splitting other that perfoming optimized packet capture using direct nice access or DNA which is kind of DMA or direct memory access. Pf-ring creates a circular buffer that allows applications to fetch data from it rather than the driver.
Please follow the install guide from metaflows regarding online snort, it will also work for snort as Ids than just IPS or online mode; use the ntop Verizon of pf_ring instead as it built for IDS not for IPS.
It does a pretty good job at load balancing the traffic according to tcp streams or flow.
I have installed Snort with pf_ring that currently monitors around 500 Mbps or ~60-70k packets/second and pf_ring seems to occasionally drop traffic of about 5-20% which is still appreciable considering there are a lot of Snort rules active on the Snort sensor.
It is important to note that you should use a ~2.6.28 (minimum requirement) or so kernel version as current pf_ring version doesn't seem to be stable with the 3.0 or greater version of linux yet.
Also please make sure you have the pf_ring aware drivers installed properly, in order to install you will need to unload the current driver using rmmod command (your driver version and name could be found using ethtool -i ethX) and reload your pf_ring driver using insmod "driver name".
Please refer to the metaflows website for an in dept tutorial on installation:
http://www.snort.org/assets/186/PF_RING_Snort_Inline_Instructions.pdf
I finally figured out that pf_ring is inherently capable of performing flow based packet splitting other that perfoming optimized packet capture using direct nice access or DNA which is kind of DMA or direct memory access. Pf-ring creates a circular buffer that allows applications to fetch data from it rather than the driver.
Please follow the install guide from metaflows regarding online snort, it will also work for snort as Ids than just IPS or online mode; use the ntop Verizon of pf_ring instead as it built for IDS not for IPS.
It does a pretty good job at load balancing the traffic according to tcp streams or flow.
I have installed Snort with pf_ring that currently monitors around 500 Mbps or ~60-70k packets/second and pf_ring seems to occasionally drop traffic of about 5-20% which is still appreciable considering there are a lot of Snort rules active on the Snort sensor.
It is important to note that you should use a ~2.6.28 (minimum requirement) or so kernel version as current pf_ring version doesn't seem to be stable with the 3.0 or greater version of linux yet.
Also please make sure you have the pf_ring aware drivers installed properly, in order to install you will need to unload the current driver using rmmod command (your driver version and name could be found using ethtool -i ethX) and reload your pf_ring driver using insmod "driver name".
Please refer to the metaflows website for an in dept tutorial on installation:
http://www.snort.org/assets/186/PF_RING_Snort_Inline_Instructions.pdf
Comments
Post a Comment