PF_Ring purposes for high speed packet capture, this post notes how to install and run Suricata with pf_ring on Ubuntu 22.04.
Install
- Download pf_ring 8.2.0 from source and install1:
cd PF_RING-8.2.0/kernel
make && make install
cd PF_RING-8.2.0/userland/lib
./configure
make && make install
- Download and install the latest stable version 6.0.8 of suricata2:
cd suricata-6.0.8
./configure --localstatedir=/var --enable-lua \
--enable-pfring --with-libpfring-includes=/usr/local/include \
--with-libpfring-libraries=/usr/local/pfring/lib
make && make install-full
Notice the key is to configure paths of pf_ring libraries.
To verify the installation it can check the build information:
suricata --build-info | grep PF_RING
PF_RING support: yes
or by ldd
:
$ ldd /usr/local/bin/suricata | grep pfring
libpfring.so.8 => /usr/local/lib/libpfring.so.8 (0x00007fbc12f79000)
Run
PF_Ring has its own drivers of particular network adapters, take the ixgbe as an example.
1. load the pf_ring driver:
# cd PF_RING-8.2.0/drivers/intel/ixgbe/ixgbe-5.5.3-zc/src
# ./load_driver.sh
Configuring ens160
IFACE CORE MASK -> FILE
=======================
ens160 0 1 -> /proc/irq/57/smp_affinity
VFs can be enabled on ens160 running: echo '2' > /sys/bus/pci/devices/0000:03:00.0/sriov_numvfs
Warning: 512 hugepages available, 1024 requested
root@sensor:/etc/suricata# pf_ringcfg --list-interfaces
Name: ens33 Driver: e1000 RSS: 1 [Linux Driver]
Name: ens160 Driver: ixgbe RSS: 1 [Running ZC]
- Configure suricata, edit the
suricata.yaml
file:
pfring:
– interface: ens160
# Number of receive threads. If set to ‘auto’ Suricata will first try
# to use CPU (core) count and otherwise RSS queue count.
threads: auto# Default clusterid. PF_RING will load balance packets based on flow.
# All threads/processes that will participate need to have the same
# clusterid.
cluster-id: 99# Default PF_RING cluster type. PF_RING can load balance per flow.
# Possible values are cluster_flow or cluster_round_robin.
cluster-type: cluster_flow# bpf filter for this interface
#bpf-filter: tcp# If bypass is set then the PF_RING hw bypass is activated, when supported
# by the network interface. Suricata will instruct the interface to bypass
# all future packets for a flow that need to be bypassed.
#bypass: yes
Basically it needs to configure:
- pfring network interface
- clusterid such that suricata threads can identify a pfring cluster
- cluster type to
cluster_flow
such that packets of the same flow/connection can always be processed by the same thread
- Run suricata as:
suricata --pfring -c /etc/suricata/suricata.yaml
With the following information showed that suricata run with 48 threads and incoporate with the pfring correctly:
31/10/2022 — 03:01:47 –
– This is Suricata version 6.0.8 RELEASE running in SYSTEM mode
31/10/2022 — 03:01:47 –– CPUs/cores online: 48
31/10/2022 — 03:01:47 –– [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] – App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
31/10/2022 — 03:01:47 –– [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] – App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
31/10/2022 — 03:01:47 –– [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] – App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
31/10/2022 — 03:01:47 –– Found an MTU of 1500 for ‘ens160’
31/10/2022 — 03:01:47 –– Found an MTU of 1500 for ‘ens160’
31/10/2022 — 03:01:47 –– fast output device (regular) initialized: fast.log
31/10/2022 — 03:01:47 –– eve-log output device (regular) initialized: eve.json
31/10/2022 — 03:01:47 –– http-log output device (regular) initialized: http.log
31/10/2022 — 03:01:47 –– stats output device (regular) initialized: stats.log
31/10/2022 — 03:01:47 –– Running in live mode, activating unix socket
31/10/2022 — 03:01:48 –– 1 rule files processed. 28726 rules successfully loaded, 0 rules failed
31/10/2022 — 03:01:48 –– Threshold config parsed: 0 rule(s) found
31/10/2022 — 03:01:49 –– 28729 signatures processed. 1169 are IP-only rules, 5166 are inspecting packet payload, 22190 inspect application layer, 108 are decoder event only
31/10/2022 — 03:01:50 –– Using flow cluster mode for PF_RING (iface ens160)
31/10/2022 — 03:01:50 –– Going to use 48 thread(s)
31/10/2022 — 03:01:52 –– RunModeIdsPfringWorkers initialised
31/10/2022 — 03:01:52 –– Running in live mode, activating unix socket
31/10/2022 — 03:01:52 –– Using unix socket file ‘/var/run/suricata/suricata-command.socket’
31/10/2022 — 03:01:52 –– all 48 packet processing threads, 4 management threads initialized, engine started.
31/10/2022 — 03:01:59 –– Flow emergency mode entered…
31/10/2022 — 03:05:21 –– Signal Received. Stopping engine.
31/10/2022 — 03:05:24 –– time elapsed 213.736s
31/10/2022 — 03:05:31 –– Alerts: 17180
31/10/2022 — 03:05:32 –– cleaning up signature grouping structure… complete
31/10/2022 — 03:05:32 –– Stats for ‘ens160’: pkts: 49904053, drop: 1868026 (3.74%), invalid chksum: 0