diff options
Diffstat (limited to 'framework/src/suricata/doc/Installation_with_PF_RING.txt')
-rw-r--r-- | framework/src/suricata/doc/Installation_with_PF_RING.txt | 207 |
1 files changed, 207 insertions, 0 deletions
diff --git a/framework/src/suricata/doc/Installation_with_PF_RING.txt b/framework/src/suricata/doc/Installation_with_PF_RING.txt new file mode 100644 index 00000000..ea4f4172 --- /dev/null +++ b/framework/src/suricata/doc/Installation_with_PF_RING.txt @@ -0,0 +1,207 @@ +Autogenerated on 2012-11-29 +from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_with_PF_RING + + +Installation with PF RING + +This is the installation guide for Suricata with PF_RING support and a guide to +install PF_RING. +To install DKMS, enter: + + sudo apt-get install dkms + +To get subversion for checking out the PF_RING code, flex and bison for +libpcap, enter: + + sudo apt-get install subversion flex bison + +To install the debs needed for Suricata, enter the following: + + sudo apt-get install libpcre3-dev libpcap-dev libyaml-dev zlib1g-dev libcap- + ng-dev libnet1-dev + +In the example you will build from the GIT repository, so you will need some +extra packages: + + sudo apt-get install git-core automake autoconf libtool + +To build your modules, please go to: + + cd /usr/src/ + +Checkout the PF_RING code: + + sudo svn --force export https://svn.ntop.org/svn/ntop/trunk/PF_RING/ + PF_RING_CURRENT_SVN + +Create the DKMS build directory and copy files over for the main PF_RING module +by entering the following: + + sudo mkdir /usr/src/pf_ring-4 + sudo cp -Rf /usr/src/PF_RING_CURRENT_SVN/kernel/* /usr/src/pf_ring-4/ + cd /usr/src/pf_ring-4/ + +Create a file called 'dkms.conf' + + sudo nano dkms.conf + +and place the following into the file: + + PACKAGE_NAME="pf_ring" + PACKAGE_VERSION="4" + BUILT_MODULE_NAME[0]="pf_ring" + DEST_MODULE_LOCATION[0]="/kernel/net/pf_ring/" + AUTOINSTALL="yes" + +To close the file, do so by pressing Ctrl and X at the same time, followed by y +and enter. +Build and install the kernel -module of PF_RING: + + sudo dkms add -m pf_ring -v 4 + sudo dkms build -m pf_ring -v 4 + sudo dkms install -m pf_ring -v 4 + +development headers.(zie aantekeningen) + + sudo mkdir -p /opt/PF_RING/{bin,lib,include/linux,sbin} + +Next, build and install the userland lib.: + + sudo cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /opt/PF_RING/ + include/linux/ + cd /usr/src/PF_RING_CURRENT_SVN/userland/lib + sudo ./configure + sudo sed -i -e 's/INSTDIR = \${DESTDIR}\/usr\/local/INSTDIR = \$ + {DESTDIR}\/opt\/PF_RING/' Makefile + sudo cp -f pfring_e1000e_dna.h /opt/PF_RING/include + sudo make + sudo make install + +Enter the following to pull down the latest version of Suricata from the git +repository and build with PF_RING support: + + cd /usr/src/PF_RING_CURRENT_SVN/userland/ + sudo git clone git://phalanx.openinfosecfoundation.org/oisf.git oisfnew + cd oisfnew + sudo ./autogen.sh + sudo ./configure --enable-pfring --with-libpfring-libraries=/opt/PF_RING/lib + --with-libpfring-includes=/opt/PF_RING/include --with-libpcap-libraries=/opt/ + PF_RING/lib --with-libpcap-includes=/opt/PF_RING/include LD_RUN_PATH="/opt/ + PF_RING/lib:/usr/lib:/usr/local/lib" --prefix=/opt/PF_RING/ + sudo make install + sudo make + sudo mkdir etc/suricata + +To make config and log directories for a more complete getting started, see: +Basic_Setup. + + sudo mkdir /etc/suricata + sudo cp suricata.yaml /etc/suricata/ + sudo cp classification.config /etc/suricata/ + sudo mkdir /var/log/suricata + +The information about the setup options for when you initialise the module: +min_num_slots:Number of ring slots (uint) +transparent_mode:0=standard Linux, 1=direct2pfring+transparent, +2=direct2pfring+non transparent. +For 1 and 2 you need to use a PF_RING aware driver (uint) . +enable_tx_capture:Set to 1 to capture outgoing packets (uint) +enable_ip_defrag:Set to 1 to enable IP defragmentation(only rx traffic is +defragmentead) (uint) +Enter the following as super-user: + + echo "options pf_ring transparent_mode=0 min_num_slots=32768 + enable_tx_capture=0" > /etc/modprobe.d/pf_ring.conf + +To check the status of PF_RING : + + sudo modprobe pf_ring + sudo modinfo pf_ring && cat /proc/net/pf_ring/info + +Start up Suricata with PF_RING support: + + sudo /opt/PF_RING/bin/suricata --pfring-int=eth0 --pfring-cluster-id=99 -- + pfring-cluster-type=cluster_flow -c /etc/suricata/suricata.yaml + +If you need to uninstall PF_RING or rollback your PF_RING aware drivers to +their previous state you can do so with the following commands: + + sudo dkms remove -m pf_ring -v 4 --all + + +Optional + +The following part is optional. + + sudo dkms remove -m e1000e-pf_ring -v 1.0.15 --all + +If you issue the following command, you can see that PF_RING should now be +installed as DKMS module: + + dkms status + +Now go through the steps to build a PF_RING aware driver: + + sudo mkdir /usr/src/e1000e-pf_ring-1.0.15 + sudo cp -Rf /usr/src/PF_RING_CURRENT_SVN/drivers/intel/e1000e/old/e1000e- + 1.0.15/src/* /usr/src/e1000e-pf_ring-1.0.15/ + +Enter the following so that DKMS can find it for driver rebuilds: + + sudo cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /usr/src/ + e1000e-pf_ring-1.0.15/ + cd /usr/src/e1000e-pf_ring-1.0.15/ + +After that, fix the path to pf_ring.h: + + sed -i -e 's/\.\.\/\.\.\/\.\.\/\.\.\/kernel\/linux\/pf\_ring\.h/pf\_ring\.h/ + ' netdev.c + +Then create a file called 'dkms.conf'. + + sudo nano dkms.conf + +and place the following into the file: + + PACKAGE_NAME="e1000e-pf_ring" + PACKAGE_VERSION="1.0.15" + BUILT_MODULE_NAME[0]="e1000e" + DEST_MODULE_LOCATION[0]="/kernel/drivers/net/e1000e/" + AUTOINSTALL="yes" + +Build and install the module of the e1000e-pf_ring network driver: + + sudo dkms add -m e1000e-pf_ring -v 1.0.15 + sudo dkms build -m e1000e-pf_ring -v 1.0.15 + sudo dkms install -m e1000e-pf_ring -v 1.0.15 + +After that, build and install the PF_RING enabled libpcap: + + cd /usr/src/PF_RING_CURRENT_SVN/userland/libpcap-1.0.0-ring + ./configure + sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/ + ' Makefile + sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/ + ' Makefile.in + ./configure --prefix=/opt/PF_RING && make && make install + +Subsequently, build and install tcpdump using the PF_RING enabled version of +libpcap: + + cd /usr/src/PF_RING_CURRENT_SVN/userland/tcpdump-4.0.0 + sudo ./configure + sudo sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/ + ' Makefile + sudo sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/ + ' Makefile.in + sudo sed -i -e 's/-I \.\.\/libpcap-1\.0\.0-ring/-I \/opt\/PF_RING\/include/ + ' Makefile + sudo sed -i -e 's/-I \.\.\/libpcap-1\.0\.0-ring/-I \/opt\/PF_RING\/include/ + ' Makefile.in + sudo sed -i -e 's/-L \.\.\/libpcap-1\.0\.0-ring\/-L /\/opt\/PF_RING\/lib\// + ' Makefile + sed -i -e 's/-L \.\.\/libpcap-1\.0\.0-ring\/-L /\/opt\/PF_RING\/lib\// + ' Makefile.in + sudo ./configure LD_RUN_PATH="/opt/PF_RING/lib:/usr/lib:/usr/local/lib" -- + prefix=/opt/PF_RING/ --enable-ipv6 && make && make install + |