-
Notifications
You must be signed in to change notification settings - Fork 56
PF_RING
Suricata PF_RING installation instructions
Note! Suricata PF_RING seems to differ. For details see below.
##Debain Testing (Jessie)
Note: Installation not working as 16th December 2013.
See: https://github.com/msantos/epcap/issues/14
See User Guide PF_RING User Guide
svn co https://svn.ntop.org/svn/ntop/trunk/PF_RING/
cd PF_RING/kernel
make
cd ../userland
make
cd <PF_RING PATH>/userland/lib
./configure
make
sudo make install
cd ../libpcap
./configure
make
sudo insmod <PF_RING PATH>/kernel/pf_ring.ko [transparent_mode=0|1|2] [min_num_slots=x][enable_tx_capture=1|0] [ enable_ip_defrag=1|0] [quick_mode=1| 0]
See PF_RING User Guide for parameter definitions for insmod
Here is instruction I use to install PF_RING on CentOS 6.5
-
Update system to the currect state
yum update -
Install necessary packages
yum install vim-enhanced wget kernel-headers flex bison gcc gcc-c++ make kernel-devel man man-pages -
Download stable(5.6.1) PF_RING distribution from
http://sourceforge.net/projects/ntop/files/PF_RING/ -
Unpack and compile kernel module
tar -zxpvf PF_RING-5.6.1.tar.gz
cd PF_RING-5.6.1/
cd kernel && make && make install -
Compile userland libraries
cd userland/lib && ./configure && make && make install -
Load kernel module
modprobe pf_ring -
Configure linker
echo "/usr/local/lib" > /etc/ld.so.conf.d/local.conf
ldconfig -
Make kernel module loading during system start by creating file
/etc/sysconfig/modules/pf_ring.moduleswith the following content
#!/bin/sh<br> modprobe pf_ring
- Set x bit to it
chmod +x /etc/sysconfig/modules/pf_ring.modules
cd PF_RING-5.6.1/userland/libpcap
./configure<br>
make && make install
After that run ldconfig
To Install esl-erlang perform steps below:
See also here Erlang-Solutions
rpm -ivh
http://packages.erlang-solutions.com/erlang-solutions-1.0-1.noarch.rpm
yum install esl-erlang
- Have opened one epcap using a cluster_id and have in parallel fetched the files with dumpcap -i eth0.
As result only the packages in one direction (outgoing) are captured.
- When setting up 2 instances of the erlang-vm they are not able to communicate, even as I have set the names and cookies correctly. This seems to be an issue with the erlang installation. (Tested with Erlang 16B02 and 16B03 from erlang solutions)
- When setting up multiple instances of epcap they seem to get the same data. This may be useful in some cases, in others not.
cd epcap
PFRING=/usr/local/lib make all
Error message: sudo: sorry, you must have a tty to run sudo
https://github.com/msantos/epcap/issues/15
NTOP
Suricatayaml
See chapter: Flow and Stream handling
See chapter: Packet Acquisition
Suricata seems to filter packets based on Flows (Tuples of SourceIP-Address. SourcePort, Destination-IP-Address, Destination Port depending on cluster_ids.