Snort

Installation and Use of Napatech Link™ Capture Software for Intel® PAC with Intel® Arria® 10 GX FPGA

product_line_custom
Intel® PAC
category
Quick Guide

Installing and configuring Snort for Napatech Link™ Capture Software.

Introduction

Snort is an open source network intrusion prevention and detection system.

Snort can be installed for use with Napatech Link™ Capture Software in two ways:
  • Snort can be installed from binary packages and use libpcap interfaces to Napatech Link™ Capture Software.
  • To get optimal performance and inline support, build Snort 3.0 and DAQ 2.2.2 with DPDK support from source.

Package-based installation

Identify a suitable precompiled Snort package for your OS distribution. See Installing and Running libpcap Applications for general information about how to install and use package-based applications with Napatech libpcap.

See DN-0428 for more information about configuration of Napatech libpcap.

See DN-0666 for more information about optimizing Snort with Napatech libpcap.

Installing and running Snort with Napatech DPDK

The Napatech driver must be installed and running before Snort with Napatech DPDK can be used. See Installing Napatech Link™ Capture Software.

Napatech DPDK must be installed and built before Snort with Napatech DPDK can be used. See Installing Napatech DPDK.

Get and Compile DAQ for DPDK support

# wget https://github.com/napatech/daq_dpdk_multiqueue/archive/dpdk18.05_mq.zip
# unzip unzip dpdk18.05_mq.zip
# cd daq_dpdk_multiqueue-dpdk18.05_mq/daq-2.2.2/
# export RTE_SDK=/project/dpdk-master/ 
# ./configure --prefix=/opt/snort 
# make
# make install

Get and compile Snort 3.0 using DAQ 2.2.2

# wget https://www.snort.org/downloads/snortplus/snort-3.0.0-243-cmake.tar.gz
# tar xvf tar xvf snort-3.0.0-243-cmake.tar.gz
# export PATH=/opt/snort/bin/:$PATH
# ./configure_cmake.sh --prefix=/opt/snort --with-daq-libraries=/opt/snort/lib --with-daq-includes=/opt/snort/include
# cd build
# make
# make install

Running Snort

Snort in inline mode (IPS) using 14 RSS queues and 14 cores on 1 interface pair:
# taskset -c 0-13 /opt/snort/bin/snort --daq dpdk --daq-var dpdk_argc="-n4" -i "dpdk0:dpdk1" -Q -z 14
Snort in inline mode (IPS) using 2 RSS queues and 14 cores on 2 interface pairs:
# taskset -c 0-13 /opt/snort/bin/snort --daq dpdk --daq-var dpdk_argc="-n4" -i "dpdk0:dpdk1 dpdk2:dpdk3" -Q -z 14
Snort in passive mode (IDS) using 14 RSS queues and 14 cores on 2 interfaces:
# taskset -c 0-13 /opt/snort/bin/snort --daq dpdk --daq-var dpdk_argc="-n4" -i "dpdk0 dpdk1" -z 14
Snort in passive mode (IDS) using 2 RSS queues and 4 cores on 1 interfaces:
# taskset -c 0-13 /opt/snort/bin/snort --daq dpdk --daq-var dpdk_argc="-n4" -i "dpdk0" -z 2
Tip: taskset is used here to pin the cores used by Snort to run only on NUMA node 0. This is done to avoid QPI utilization. Run the cores on the same NUMA node as the NIC.