Skip to content
This repository has been archived by the owner on Apr 16, 2021. It is now read-only.

PF_RING

weslambert edited this page Feb 4, 2016 · 14 revisions

Setup

Setup will automatically ask you how many PF_RING instances (IDS engine processes) you'd like for Snort/Suricata and Bro (assuming you have multiple cores) and will tell you how to adjust after the fact.

Tuning

If you want to change the number of PF_RING instances after running Setup, you can do the following.

Snort/Suricata

  • Stop sensor processes:
sudo nsm_sensor_ps-stop
  • Edit /etc/nsm/$HOSTNAME-$INTERFACE/sensor.conf and change the IDS_LB_PROCS variable to desired number of cores.
  • Start sensor processes:
sudo nsm_sensor_ps-start

If running Snort, the script automatically spawns $IDS_LB_PROCS instances of Snort (using PF_RING), barnyard2, and snort_agent.
If running Suricata, the script automatically copies $IDS_LB_PROCS into
suricata.yaml and then Suricata spins up the PF_RING instances itself.

Bro

For Bro, you would do the following:

  • Stop bro:
    sudo nsm_sensor_ps-stop --only-bro
  • Edit /opt/bro/etc/node.cfg and change the lb_procs variable to the desired number of cores.
  • Start bro:
    sudo nsm_sensor_ps-start --only-bro

#### Updating #### Please see the [Upgrade](Upgrade) page for notes on updating the PF_RING kernel module.
Clone this wiki locally