Skip to content

Run suricata with pfring on ubuntu

  • by

PF_Ring purposes for high speed packet capture, this post notes how to install and run Suricata with pf_ring on Ubuntu 22.04.

Install

  1. Download pf_ring 8.2.0 from source and install1:
cd PF_RING-8.2.0/kernel
make && make install

cd PF_RING-8.2.0/userland/lib
./configure
make && make install
  1. Download and install the latest stable version 6.0.8 of suricata2:
cd suricata-6.0.8
./configure --localstatedir=/var --enable-lua \
--enable-pfring --with-libpfring-includes=/usr/local/include \
--with-libpfring-libraries=/usr/local/pfring/lib
make && make install-full

Notice the key is to configure paths of pf_ring libraries.

To verify the installation it can check the build information:

suricata --build-info | grep PF_RING
PF_RING support:                         yes

or by ldd:

$ ldd /usr/local/bin/suricata | grep pfring
        libpfring.so.8 => /usr/local/lib/libpfring.so.8 (0x00007fbc12f79000)

Run

PF_Ring has its own drivers of particular network adapters, take the ixgbe as an example.
1. load the pf_ring driver:

# cd PF_RING-8.2.0/drivers/intel/ixgbe/ixgbe-5.5.3-zc/src
# ./load_driver.sh

Configuring ens160
IFACE CORE MASK -> FILE
=======================
ens160 0 1 -> /proc/irq/57/smp_affinity
VFs can be enabled on ens160 running: echo '2' > /sys/bus/pci/devices/0000:03:00.0/sriov_numvfs
Warning: 512 hugepages available, 1024 requested
root@sensor:/etc/suricata# pf_ringcfg --list-interfaces
Name: ens33                Driver: e1000      RSS:     1    [Linux Driver] 
Name: ens160               Driver: ixgbe      RSS:     1    [Running ZC]
  1. Configure suricata, edit the suricata.yaml file:

pfring:
– interface: ens160
# Number of receive threads. If set to ‘auto’ Suricata will first try
# to use CPU (core) count and otherwise RSS queue count.
threads: auto

# Default clusterid. PF_RING will load balance packets based on flow.
# All threads/processes that will participate need to have the same
# clusterid.
cluster-id: 99

# Default PF_RING cluster type. PF_RING can load balance per flow.
# Possible values are cluster_flow or cluster_round_robin.
cluster-type: cluster_flow

# bpf filter for this interface
#bpf-filter: tcp

# If bypass is set then the PF_RING hw bypass is activated, when supported
# by the network interface. Suricata will instruct the interface to bypass
# all future packets for a flow that need to be bypassed.
#bypass: yes

Basically it needs to configure:

  • pfring network interface
  • clusterid such that suricata threads can identify a pfring cluster
  • cluster type to cluster_flow such that packets of the same flow/connection can always be processed by the same thread
  1. Run suricata as:
 suricata --pfring -c /etc/suricata/suricata.yaml

With the following information showed that suricata run with 48 threads and incoporate with the pfring correctly:

31/10/2022 — 03:01:47 – – This is Suricata version 6.0.8 RELEASE running in SYSTEM mode
31/10/2022 — 03:01:47 – – CPUs/cores online: 48
31/10/2022 — 03:01:47 – – [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] – App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
31/10/2022 — 03:01:47 – – [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] – App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
31/10/2022 — 03:01:47 – – [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] – App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
31/10/2022 — 03:01:47 – – Found an MTU of 1500 for ‘ens160’
31/10/2022 — 03:01:47 – – Found an MTU of 1500 for ‘ens160’
31/10/2022 — 03:01:47 – – fast output device (regular) initialized: fast.log
31/10/2022 — 03:01:47 – – eve-log output device (regular) initialized: eve.json
31/10/2022 — 03:01:47 – – http-log output device (regular) initialized: http.log
31/10/2022 — 03:01:47 – – stats output device (regular) initialized: stats.log
31/10/2022 — 03:01:47 – – Running in live mode, activating unix socket
31/10/2022 — 03:01:48 – – 1 rule files processed. 28726 rules successfully loaded, 0 rules failed
31/10/2022 — 03:01:48 – – Threshold config parsed: 0 rule(s) found
31/10/2022 — 03:01:49 – – 28729 signatures processed. 1169 are IP-only rules, 5166 are inspecting packet payload, 22190 inspect application layer, 108 are decoder event only
31/10/2022 — 03:01:50 – – Using flow cluster mode for PF_RING (iface ens160)
31/10/2022 — 03:01:50 – – Going to use 48 thread(s)
31/10/2022 — 03:01:52 – – RunModeIdsPfringWorkers initialised
31/10/2022 — 03:01:52 – – Running in live mode, activating unix socket
31/10/2022 — 03:01:52 – – Using unix socket file ‘/var/run/suricata/suricata-command.socket’
31/10/2022 — 03:01:52 – – all 48 packet processing threads, 4 management threads initialized, engine started.
31/10/2022 — 03:01:59 – – Flow emergency mode entered…
31/10/2022 — 03:05:21 – – Signal Received. Stopping engine.
31/10/2022 — 03:05:24 – – time elapsed 213.736s
31/10/2022 — 03:05:31 – – Alerts: 17180
31/10/2022 — 03:05:32 – – cleaning up signature grouping structure… complete
31/10/2022 — 03:05:32 – – Stats for ‘ens160’: pkts: 49904053, drop: 1868026 (3.74%), invalid chksum: 0

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *