1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
|
Autogenerated on 2012-11-29
from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_with_PF_RING
Installation with PF RING
This is the installation guide for Suricata with PF_RING support and a guide to
install PF_RING.
To install DKMS, enter:
sudo apt-get install dkms
To get subversion for checking out the PF_RING code, flex and bison for
libpcap, enter:
sudo apt-get install subversion flex bison
To install the debs needed for Suricata, enter the following:
sudo apt-get install libpcre3-dev libpcap-dev libyaml-dev zlib1g-dev libcap-
ng-dev libnet1-dev
In the example you will build from the GIT repository, so you will need some
extra packages:
sudo apt-get install git-core automake autoconf libtool
To build your modules, please go to:
cd /usr/src/
Checkout the PF_RING code:
sudo svn --force export https://svn.ntop.org/svn/ntop/trunk/PF_RING/
PF_RING_CURRENT_SVN
Create the DKMS build directory and copy files over for the main PF_RING module
by entering the following:
sudo mkdir /usr/src/pf_ring-4
sudo cp -Rf /usr/src/PF_RING_CURRENT_SVN/kernel/* /usr/src/pf_ring-4/
cd /usr/src/pf_ring-4/
Create a file called 'dkms.conf'
sudo nano dkms.conf
and place the following into the file:
PACKAGE_NAME="pf_ring"
PACKAGE_VERSION="4"
BUILT_MODULE_NAME[0]="pf_ring"
DEST_MODULE_LOCATION[0]="/kernel/net/pf_ring/"
AUTOINSTALL="yes"
To close the file, do so by pressing Ctrl and X at the same time, followed by y
and enter.
Build and install the kernel -module of PF_RING:
sudo dkms add -m pf_ring -v 4
sudo dkms build -m pf_ring -v 4
sudo dkms install -m pf_ring -v 4
development headers.(zie aantekeningen)
sudo mkdir -p /opt/PF_RING/{bin,lib,include/linux,sbin}
Next, build and install the userland lib.:
sudo cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /opt/PF_RING/
include/linux/
cd /usr/src/PF_RING_CURRENT_SVN/userland/lib
sudo ./configure
sudo sed -i -e 's/INSTDIR = \${DESTDIR}\/usr\/local/INSTDIR = \$
{DESTDIR}\/opt\/PF_RING/' Makefile
sudo cp -f pfring_e1000e_dna.h /opt/PF_RING/include
sudo make
sudo make install
Enter the following to pull down the latest version of Suricata from the git
repository and build with PF_RING support:
cd /usr/src/PF_RING_CURRENT_SVN/userland/
sudo git clone git://phalanx.openinfosecfoundation.org/oisf.git oisfnew
cd oisfnew
sudo ./autogen.sh
sudo ./configure --enable-pfring --with-libpfring-libraries=/opt/PF_RING/lib
--with-libpfring-includes=/opt/PF_RING/include --with-libpcap-libraries=/opt/
PF_RING/lib --with-libpcap-includes=/opt/PF_RING/include LD_RUN_PATH="/opt/
PF_RING/lib:/usr/lib:/usr/local/lib" --prefix=/opt/PF_RING/
sudo make install
sudo make
sudo mkdir etc/suricata
To make config and log directories for a more complete getting started, see:
Basic_Setup.
sudo mkdir /etc/suricata
sudo cp suricata.yaml /etc/suricata/
sudo cp classification.config /etc/suricata/
sudo mkdir /var/log/suricata
The information about the setup options for when you initialise the module:
min_num_slots:Number of ring slots (uint)
transparent_mode:0=standard Linux, 1=direct2pfring+transparent,
2=direct2pfring+non transparent.
For 1 and 2 you need to use a PF_RING aware driver (uint) .
enable_tx_capture:Set to 1 to capture outgoing packets (uint)
enable_ip_defrag:Set to 1 to enable IP defragmentation(only rx traffic is
defragmentead) (uint)
Enter the following as super-user:
echo "options pf_ring transparent_mode=0 min_num_slots=32768
enable_tx_capture=0" > /etc/modprobe.d/pf_ring.conf
To check the status of PF_RING :
sudo modprobe pf_ring
sudo modinfo pf_ring && cat /proc/net/pf_ring/info
Start up Suricata with PF_RING support:
sudo /opt/PF_RING/bin/suricata --pfring-int=eth0 --pfring-cluster-id=99 --
pfring-cluster-type=cluster_flow -c /etc/suricata/suricata.yaml
If you need to uninstall PF_RING or rollback your PF_RING aware drivers to
their previous state you can do so with the following commands:
sudo dkms remove -m pf_ring -v 4 --all
Optional
The following part is optional.
sudo dkms remove -m e1000e-pf_ring -v 1.0.15 --all
If you issue the following command, you can see that PF_RING should now be
installed as DKMS module:
dkms status
Now go through the steps to build a PF_RING aware driver:
sudo mkdir /usr/src/e1000e-pf_ring-1.0.15
sudo cp -Rf /usr/src/PF_RING_CURRENT_SVN/drivers/intel/e1000e/old/e1000e-
1.0.15/src/* /usr/src/e1000e-pf_ring-1.0.15/
Enter the following so that DKMS can find it for driver rebuilds:
sudo cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /usr/src/
e1000e-pf_ring-1.0.15/
cd /usr/src/e1000e-pf_ring-1.0.15/
After that, fix the path to pf_ring.h:
sed -i -e 's/\.\.\/\.\.\/\.\.\/\.\.\/kernel\/linux\/pf\_ring\.h/pf\_ring\.h/
' netdev.c
Then create a file called 'dkms.conf'.
sudo nano dkms.conf
and place the following into the file:
PACKAGE_NAME="e1000e-pf_ring"
PACKAGE_VERSION="1.0.15"
BUILT_MODULE_NAME[0]="e1000e"
DEST_MODULE_LOCATION[0]="/kernel/drivers/net/e1000e/"
AUTOINSTALL="yes"
Build and install the module of the e1000e-pf_ring network driver:
sudo dkms add -m e1000e-pf_ring -v 1.0.15
sudo dkms build -m e1000e-pf_ring -v 1.0.15
sudo dkms install -m e1000e-pf_ring -v 1.0.15
After that, build and install the PF_RING enabled libpcap:
cd /usr/src/PF_RING_CURRENT_SVN/userland/libpcap-1.0.0-ring
./configure
sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/
' Makefile
sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/
' Makefile.in
./configure --prefix=/opt/PF_RING && make && make install
Subsequently, build and install tcpdump using the PF_RING enabled version of
libpcap:
cd /usr/src/PF_RING_CURRENT_SVN/userland/tcpdump-4.0.0
sudo ./configure
sudo sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/
' Makefile
sudo sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/
' Makefile.in
sudo sed -i -e 's/-I \.\.\/libpcap-1\.0\.0-ring/-I \/opt\/PF_RING\/include/
' Makefile
sudo sed -i -e 's/-I \.\.\/libpcap-1\.0\.0-ring/-I \/opt\/PF_RING\/include/
' Makefile.in
sudo sed -i -e 's/-L \.\.\/libpcap-1\.0\.0-ring\/-L /\/opt\/PF_RING\/lib\//
' Makefile
sed -i -e 's/-L \.\.\/libpcap-1\.0\.0-ring\/-L /\/opt\/PF_RING\/lib\//
' Makefile.in
sudo ./configure LD_RUN_PATH="/opt/PF_RING/lib:/usr/lib:/usr/local/lib" --
prefix=/opt/PF_RING/ --enable-ipv6 && make && make install
|