This repository has been archived by the owner on Apr 16, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 521
PF_RING
Doug Burks edited this page Mar 25, 2015
·
14 revisions
Setup will automatically ask you how many PF_RING instances you'd like for Snort/Suricata and Bro (assuming you choose Advanced Setup and you have multiple cores) and will tell you how to adjust after the fact.
If you want to change the number of PF_RING instances after running Setup, you can do the following.
- Stop sensor processes:
sudo nsm_sensor_ps-stop
- Edit
/etc/nsm/$HOSTNAME-$INTERFACE/sensor.confand change theIDS_LB_PROCSvariable to desired number of cores. - Start sensor processes:
sudo nsm_sensor_ps-start
If running Snort, the script automatically spawns $IDS_LB_PROCS instances
of Snort (using PF_RING), barnyard2, and snort_agent.
If running Suricata, the script automatically copies $IDS_LB_PROCS into
suricata.yaml and then Suricata spins up the PF_RING instances itself.
- Stop bro:
sudo nsm_sensor_ps-stop --only-bro
- Edit
/opt/bro/etc/node.cfgand change thelb_procsvariable to the desired number of cores.
- Start bro:
sudo nsm_sensor_ps-start --only-bro
- Introduction
- Use Cases
- Hardware Requirements
- Release Notes
- Download/Install
- Booting Issues
- After Installation
- UTC and Time Zones
- Services
- VirtualBox Walkthrough
- VMWare Walkthrough
- Videos
- Architecture
- Cheat Sheet
- Conference
- Elastic Stack
- Elastic Architecture
- Elasticsearch
- Logstash
- Kibana
- ElastAlert
- Curator
- FreqServer
- DomainStats
- Docker
- Redis
- Data Fields
- Beats
- Pre-Releases
- ELSA to Elastic
- Network Configuration
- Proxy Configuration
- Firewall/Hardening
- Email Configuration
- Integrating with other systems
- Changing IP Addresses
- NTP
- Managing Alerts
- Managing Rules
- Adding Local Rules
- Disabling Processes
- Filtering with BPF
- Adjusting PF_RING for traffic
- MySQL Tuning
- Adding a new disk
- High Performance Tuning
- Trimming PCAPs