Skip to content
This repository has been archived by the owner on Apr 16, 2021. It is now read-only.

PF_RING

karolisc edited this page Apr 26, 2015 · 14 revisions

Setup

Setup will automatically ask you how many PF_RING instances you'd like for Snort/Suricata and Bro (assuming you choose Advanced Setup and you have multiple cores) and will tell you how to adjust after the fact.

Tuning

If you want to change the number of PF_RING instances after running Setup, you can do the following.

Snort/Suricata

  • Stop sensor processes:
sudo nsm_sensor_ps-stop
  • Edit /etc/nsm/$HOSTNAME-$INTERFACE/sensor.conf and change the IDS_LB_PROCS variable to desired number of cores.
  • Start sensor processes:
sudo nsm_sensor_ps-start

If running Snort, the script automatically spawns $IDS_LB_PROCS instances of Snort (using PF_RING), barnyard2, and snort_agent.
If running Suricata, the script automatically copies $IDS_LB_PROCS into
suricata.yaml and then Suricata spins up the PF_RING instances itself.

Bro

For Bro, you would do the following:

  • Stop bro:
    sudo nsm_sensor_ps-stop --only-bro
  • Edit /opt/bro/etc/node.cfg and change the lb_procs variable to the desired number of cores.
  • Start bro:
    sudo nsm_sensor_ps-start --only-bro

#### Updating #### Please see the [Upgrade](Upgrade) page for notes on updating the PF_RING kernel module.
Clone this wiki locally