suricata checkin based on commit id a4bce14770beee46a537eda3c3f6e8e8565d5d0a

Change-Id: I9a214fa0ee95e58fc640e50bd604dac7f42db48f

1 files changed, 207 insertions, 0 deletions

diff --git a/framework/src/suricata/doc/Installation_with_PF_RING.txt b/framework/src/suricata/doc/Installation_with_PF_RING.txt
new file mode 100644
index 00000000..ea4f4172
--- /dev/null
+++ b/framework/src/suricata/doc/Installation_with_PF_RING.txt
@@ -0,0 +1,207 @@
+Autogenerated on 2012-11-29
+from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_with_PF_RING
+
+
+Installation with PF RING
+
+This is the installation guide for Suricata with PF_RING support and a guide to
+install PF_RING.
+To install DKMS, enter:
+
+  sudo apt-get install dkms
+
+To get subversion for checking out the PF_RING code, flex and bison for
+libpcap, enter:
+
+  sudo apt-get install subversion flex bison
+
+To install the debs needed for Suricata, enter the following:
+
+  sudo apt-get install libpcre3-dev libpcap-dev libyaml-dev zlib1g-dev libcap-
+  ng-dev libnet1-dev
+
+In the example you will build from the GIT repository, so you will need some
+extra packages:
+
+  sudo apt-get install git-core automake autoconf libtool
+
+To build your modules, please go to:
+
+  cd /usr/src/
+
+Checkout the PF_RING code:
+
+  sudo svn --force export https://svn.ntop.org/svn/ntop/trunk/PF_RING/
+  PF_RING_CURRENT_SVN
+
+Create the DKMS build directory and copy files over for the main PF_RING module
+by entering the following:
+
+  sudo mkdir /usr/src/pf_ring-4
+  sudo cp -Rf /usr/src/PF_RING_CURRENT_SVN/kernel/* /usr/src/pf_ring-4/
+  cd /usr/src/pf_ring-4/
+
+Create a file called 'dkms.conf'
+
+  sudo nano dkms.conf
+
+and place the following into the file:
+
+  PACKAGE_NAME="pf_ring"
+  PACKAGE_VERSION="4"
+  BUILT_MODULE_NAME[0]="pf_ring"
+  DEST_MODULE_LOCATION[0]="/kernel/net/pf_ring/"
+  AUTOINSTALL="yes"
+
+To close the file, do so by pressing Ctrl and X at the same time, followed by y
+and enter.
+Build and install the kernel -module of PF_RING:
+
+  sudo dkms add -m pf_ring -v 4
+  sudo dkms build -m pf_ring -v 4
+  sudo dkms install -m pf_ring -v 4
+
+development headers.(zie aantekeningen)
+
+  sudo mkdir -p /opt/PF_RING/{bin,lib,include/linux,sbin}
+
+Next, build and install the userland lib.:
+
+  sudo cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /opt/PF_RING/
+  include/linux/
+  cd /usr/src/PF_RING_CURRENT_SVN/userland/lib
+  sudo ./configure
+  sudo sed -i -e 's/INSTDIR   = \${DESTDIR}\/usr\/local/INSTDIR   = \$
+  {DESTDIR}\/opt\/PF_RING/' Makefile
+  sudo cp -f pfring_e1000e_dna.h /opt/PF_RING/include
+  sudo make
+  sudo make install
+
+Enter the following to pull down the latest version of Suricata from the git
+repository and build with PF_RING support:
+
+  cd /usr/src/PF_RING_CURRENT_SVN/userland/
+  sudo git clone git://phalanx.openinfosecfoundation.org/oisf.git oisfnew
+  cd oisfnew
+  sudo ./autogen.sh
+  sudo ./configure --enable-pfring --with-libpfring-libraries=/opt/PF_RING/lib
+  --with-libpfring-includes=/opt/PF_RING/include --with-libpcap-libraries=/opt/
+  PF_RING/lib --with-libpcap-includes=/opt/PF_RING/include LD_RUN_PATH="/opt/
+  PF_RING/lib:/usr/lib:/usr/local/lib" --prefix=/opt/PF_RING/
+  sudo make install
+  sudo make
+  sudo mkdir etc/suricata
+
+To make config and log directories for a more complete getting started, see:
+Basic_Setup.
+
+  sudo mkdir /etc/suricata
+  sudo cp suricata.yaml /etc/suricata/
+  sudo cp classification.config /etc/suricata/
+  sudo mkdir /var/log/suricata
+
+The information about the setup options for when you initialise the module:
+min_num_slots:Number of ring slots (uint)
+transparent_mode:0=standard Linux, 1=direct2pfring+transparent,
+2=direct2pfring+non transparent.
+For 1 and 2 you need to use a PF_RING aware driver (uint) .
+enable_tx_capture:Set to 1 to capture outgoing packets (uint)
+enable_ip_defrag:Set to 1 to enable IP defragmentation(only rx traffic is
+defragmentead) (uint)
+Enter the following as super-user:
+
+  echo "options pf_ring transparent_mode=0 min_num_slots=32768
+  enable_tx_capture=0" > /etc/modprobe.d/pf_ring.conf
+
+To check the status of PF_RING :
+
+  sudo modprobe pf_ring
+  sudo modinfo pf_ring && cat /proc/net/pf_ring/info
+
+Start up Suricata with PF_RING support:
+
+  sudo /opt/PF_RING/bin/suricata --pfring-int=eth0 --pfring-cluster-id=99 --
+  pfring-cluster-type=cluster_flow -c /etc/suricata/suricata.yaml
+
+If you need to uninstall PF_RING or rollback your PF_RING aware drivers to
+their previous state you can do so with the following commands:
+
+  sudo dkms remove -m pf_ring -v 4 --all
+
+
+Optional
+
+The following part is optional.
+
+  sudo dkms remove -m e1000e-pf_ring -v 1.0.15 --all
+
+If you issue the following command, you can see that PF_RING should now be
+installed as DKMS module:
+
+  dkms status
+
+Now go through the steps to build a PF_RING aware driver:
+
+  sudo mkdir /usr/src/e1000e-pf_ring-1.0.15
+  sudo cp -Rf /usr/src/PF_RING_CURRENT_SVN/drivers/intel/e1000e/old/e1000e-
+  1.0.15/src/* /usr/src/e1000e-pf_ring-1.0.15/
+
+Enter the following so that DKMS can find it for driver rebuilds:
+
+  sudo cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /usr/src/
+  e1000e-pf_ring-1.0.15/
+  cd /usr/src/e1000e-pf_ring-1.0.15/
+
+After that, fix the path to pf_ring.h:
+
+  sed -i -e 's/\.\.\/\.\.\/\.\.\/\.\.\/kernel\/linux\/pf\_ring\.h/pf\_ring\.h/
+  ' netdev.c
+
+Then create a file called 'dkms.conf'.
+
+  sudo nano dkms.conf
+
+and place the following into the file:
+
+  PACKAGE_NAME="e1000e-pf_ring"
+  PACKAGE_VERSION="1.0.15"
+  BUILT_MODULE_NAME[0]="e1000e"
+  DEST_MODULE_LOCATION[0]="/kernel/drivers/net/e1000e/"
+  AUTOINSTALL="yes"
+
+Build and install the module of the e1000e-pf_ring network driver:
+
+  sudo dkms add -m e1000e-pf_ring -v 1.0.15
+  sudo dkms build -m e1000e-pf_ring -v 1.0.15
+  sudo dkms install -m e1000e-pf_ring -v 1.0.15
+
+After that, build and install the PF_RING enabled libpcap:
+
+  cd /usr/src/PF_RING_CURRENT_SVN/userland/libpcap-1.0.0-ring
+  ./configure
+  sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/
+  ' Makefile
+  sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/
+  ' Makefile.in
+  ./configure --prefix=/opt/PF_RING && make && make install
+
+Subsequently, build and install tcpdump using the PF_RING enabled version of
+libpcap:
+
+  cd /usr/src/PF_RING_CURRENT_SVN/userland/tcpdump-4.0.0
+  sudo ./configure
+  sudo sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/
+  ' Makefile
+  sudo sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/
+  ' Makefile.in
+  sudo sed -i -e 's/-I \.\.\/libpcap-1\.0\.0-ring/-I \/opt\/PF_RING\/include/
+  ' Makefile
+  sudo sed -i -e 's/-I \.\.\/libpcap-1\.0\.0-ring/-I \/opt\/PF_RING\/include/
+  ' Makefile.in
+  sudo sed -i -e 's/-L \.\.\/libpcap-1\.0\.0-ring\/-L /\/opt\/PF_RING\/lib\//
+  ' Makefile
+  sed -i -e 's/-L \.\.\/libpcap-1\.0\.0-ring\/-L /\/opt\/PF_RING\/lib\//
+  ' Makefile.in
+  sudo ./configure LD_RUN_PATH="/opt/PF_RING/lib:/usr/lib:/usr/local/lib" --
+  prefix=/opt/PF_RING/ --enable-ipv6 && make && make install
+