integrating and optimizing suricata with faststack™ sniffer10g™
DESCRIPTION
Join the Open Information Security Foundation (OSIF), Myricom and Emulex to learn about deploying and fine tuning Suricata to create an effective IDS/IPS system.TRANSCRIPT
1Emulex Confidential - © 2012 Emulex Corporation 1Emulex© Corporation 2012
Emulex Technology Webcast Series
2Emulex Confidential - © 2012 Emulex Corporation 2Emulex© Corporation 2012
Logistics
Attendees will be placed on mute during the presentation
Please use the WebEx’s Q&A feature to submit questions at any time
For a copy of this presentation please send an e-mail to:[email protected]
Please visit emulex.com/webcasts for list of our upcoming webcasts
Emulex Confidential - © 2012 Emulex Corporation
FastStackTM Sniffer10G
For superior network analytics & cyber-security
4Emulex Confidential - © 2012 Emulex Corporation 4Emulex© Corporation 2012
Agenda
Objective
About Emulex
About Myricom
About Suricata
Installing Sniffer10G
Testing Sniffer10G Installation
Building Suricata with Sniffer10G
Tuning Suricata with Sniffer10G
Q & A
5Emulex Confidential - © 2012 Emulex Corporation 5Emulex© Corporation 2012
Objective of Today Webinar
Introduction to FastStack Sniffer10G
Demonstrate how to:– Install FastStack Sniffer10G– Configure FastStack Sniffer10G– Test FastStack Sniffer10G– Link FastStack Sniffer10G to Suricata– How to utilize different run modes
6Emulex Confidential - © 2012 Emulex Corporation 6Emulex© Corporation 2012
About Emulex
Emulex solutions are used and offered by the industry’s leading server and storage OEMs
– An ever-expanding interoperability ecosystem– High scalability with support for small and large environments
Industry leader in the Fibre Channel storage market– The performance expected of high demand environments– Tools to maximize the efficiency of your resources– Reliability that is second to none
A leader in converged networking solutions, providing enterprise-class connectivity
– Delivered through OEM server partners – #1 in 10GbE Worldwide Port Shipments for fiscal year 2012*– Requests for higher performance solutions for specific vertical markets
* Crehan Research, Server-class Adapter & LOM Market Share Report, 2Q 2012 (Emulex Fiscal Year 2012)
7Emulex Confidential - © 2012 Emulex Corporation 7Emulex© Corporation 2012
About Myricom
Leading provider of adaptable Ethernet Solutions for vertical markets requiring extreme performance
Pioneer in HPC – Interconnect technology since 1994
Unique, adaptable hardware and software architecture
One of the first to deliver general-purpose 10GbE adapters– Processor-based architecture, highly programmable– Allows for firmware and API development for high performance applications– Solutions offer performance, time-to-market customer advantages
Low latency networking – low CPU overhead solutions
8Emulex Confidential - © 2012 Emulex Corporation 8Emulex© Corporation 2012
About Suricata
Open source, next generation intrusion detection and prevention engine
Brings new ideas and technologies to the field, but not intended to replace or emulate the existing tools in the industry
Suricata is under development by OISF (Open Information Security Foundation)
Suricata is part of and funded by:– The department of Homeland Security's Directorate for Science and
Technology HOST program (Homeland Open Security Technology)– The Navy's Space and Naval Warfare Systems Command (SPAWAR)– The members of the OISF Consortium
The current version is 1.3.1 for Linux, Mac, FreeBSD, Unix & Windows
9Emulex Confidential - © 2012 Emulex Corporation 9Emulex© Corporation 2012
FastStack Sniffer10G Overview
Lossless packet capture/injection enabling superior network analytics
Leverages Emulex OCe12000-D family of 10GbE network adapters
Flexibility
- Enables Deep Packet Inspection (DPI)
- Multi-core awareness
- Flexibility of how data can be analyzed
- Supports packet capture and injection at 14.88Mpps (Million packets per second)
High Performance
- Kernel by-pass architecture
- Delivers line rate, loss less packet capture and injection without introducing latency
- Provides lossless packet capture regardless of packet size
Cost Effective
- No specialized capture hardware (ie: Appliance)
- In “Sniffer Mode”, packet-rate sensitive firmware runs on MIPS-like processor on the adapter
- Leverages industry standard 10GbE
10Emulex Confidential - © 2012 Emulex Corporation 10Emulex© Corporation 2012
FastStack Sniffer10G and Suricata
BufferBuffer
Workers…
Worker 1Worker n+1
Suricata
Packets
11Emulex Confidential - © 2012 Emulex Corporation 11Emulex© Corporation 2012
Installing Sniffer10G on Linux
Download the latest build of Sniffer10G to your system
To install, type:– # rpm -i myri_snf-2.0.6.50271-2831.x86_64.rpm
The key items can be found in : – /opt/snf
To Confirm your adapter has a current license for Sniffer10G, type:– # /opt/snf/sbin/myri_license
Indicates licenses are active
12Emulex Confidential - © 2012 Emulex Corporation 12Emulex© Corporation 2012
Starting FastStack Sniffer10G
To start FastStack Sniffer10G, type:– # myri_start_stop restart– Note: While start can be used, if Sniffer10G is already running a restart will
cause a stop/start cycle
The following will appear:Restarting Sniffer10GRemoving myri_snfLoading myri_snf
To confirm OS is running FastStack Sniffer10G, type:– # dmesg | grep myri_snf | tail -5
Indicates links with Sniffer10G are active
13Emulex Confidential - © 2012 Emulex Corporation 13Emulex© Corporation 2012
Requires two systems– System One: runs simple receive program – eventually will have Suricata– System Two: runs FastStack Sniffer10G’s Packet Generator
To generate packets, type:– # /opt/snf/bin/tests/snf_simple_recv -p0 -t 1
– # /opt/snf/bin/tests/snf_pktgen -p0 -s 60 -n 50000000
– Output for Server 1 will read:
Testing Sniffer10G
System 2 is injecting packets at wire rate
Server 1
Server 2
14Emulex Confidential - © 2012 Emulex Corporation 14Emulex© Corporation 2012
How to Install & Build Suricata with Sniffer10G
Type:– # wget http://www.openinfosecfoundation.org/download/suricata-1.3.tar.gz– # yum install file-devel– # tar -xvzf suricata-1.3.tar.gz– # mv suricata-1.3 suricata– # cd suricata– #./configure --with-libpcap-includes=/opt/snf/include/ --with-libpcap-
libraries=/opt/snf/lib/ --prefix=/usr --sysconfdir=/etc --localstatedir=/var– # make– # make install-full– # cp classification.config /etc/suricata– # cp reference.config /etc/suricata– # cp suricata.yaml /etc/suricata
15Emulex Confidential - © 2012 Emulex Corporation 15Emulex© Corporation 2012
Steps Validating Suricata Build w/ Sniffer10G
To confirm the location of where Suricata will run, type:– # which suricata
Output will read: /usr/local/bin/suricata
To confirm that Suricata is using Sniffer10G libraries, type:– # ldd /usr/local/bin/suricata | grep snf
Output will read:libpcap.so.1 => /opt/snf/lib/libpcap.so.1 (0x00007f4359199000)libsnf.so.0 => /opt/snf/lib/libsnf.so.0 (0x00007f4358b53000)
16Emulex Confidential - © 2012 Emulex Corporation 16Emulex© Corporation 2012
Configuring & Running Suricata w/ Sniffer10G
The Suricata configuration file is:– /etc/suricata/suricata.yaml
Several changes are required to the components of this file: – Locate the “pcap:” section – Make following edits to “pcap”:
• interface: eth4• threads: 16• buffer-size: 512kb• checksum-checks: no
To start Suricata on the first system, type:– # SNF_NUM_RINGS=16 SNF_FLAGS=0x1 suricata -c/etc/suricata/suricata.yaml
-i eth4--runmode=workers
17Emulex Confidential - © 2012 Emulex Corporation 17Emulex© Corporation 2012
Obtain sample network capture file for server 2.– # wget https://www.openpacket.org/capture/grab/54
To inject the sample network traffic packet capture file from Server 2 into Suricata (server 1), type:
– # /opt/snf/bin/tests/snf_replay -v -p0 -R 0.18 -i 2500 54Output will read:
Thread 0> Packets: 5122500Thread 0> Bytes: 1660497500Thread 0> Rate: 0.27 MppsThread 0> Throughput: 0.695 Gbps in 19.122 secs
To confirm the arrival processing of packets, Stop Suricata
Testing Suricata w/ Sniffer10G
18Emulex Confidential - © 2012 Emulex Corporation 18Emulex© Corporation 2012
Testing Suricata w/ Sniffer10G (cont’d)all 16 packet processing threads, 3 management threads initialized, engine started.
^C20/7/2012 -- 09:03:25 - <Info> - stopping engine, waiting for outstanding packets
20/7/2012 -- 09:03:25 - <Info> - all packets processed by threads, stopping engine
20/7/2012 -- 09:03:25 - <Info> - 0 new flows, 0 established flows were timed out, 0 flows in closed state
20/7/2012 -- 09:03:26 - <Info> - time elapsed 31.245s
20/7/2012 -- 09:03:26 - <Info> - (RxPcapp4p11) Packets 195000, bytes 34637500
20/7/2012 -- 09:03:26 - <Info> - (RxPcapp4p11) Pcap Total:195000 Recv:195000 Drop:0 (0.0%).
20/7/2012 -- 09:03:26 - <Info> - Stream TCP processed 172500 TCP packets
20/7/2012 -- 09:03:26 - <Info> - Fast log output wrote 687249 alerts
20/7/2012 -- 09:03:26 - <Info> - Alert unified2 module wrote 687249 alerts
20/7/2012 -- 09:03:26 - <Info> - HTTP logger logged 14 requests
20/7/2012 -- 09:03:26 - <Info> - (RxPcapp4p12) Packets 190000, bytes 32032500
20/7/2012 -- 09:03:26 - <Info> - (RxPcapp4p12) Pcap Total:190000 Recv:190000 Drop:0 (0.0%).
20/7/2012 -- 09:03:26 - <Info> - Stream TCP processed 155000 TCP packets
20/7/2012 -- 09:03:26 - <Info> - Fast log output wrote 687249 alerts
20/7/2012 -- 09:03:26 - <Info> - HTTP logger logged 3 requests
20/7/2012 -- 09:03:26 - <Info> - (RxPcapp4p13) Packets 205000, bytes 50245000
...
20/7/2012 -- 09:03:26 - <Info> - (RxPcapp4p116) Pcap Total:417500 Recv:417500 Drop:0 (0.0%).
20/7/2012 -- 09:03:26 - <Info> - Stream TCP processed 392500 TCP packets
20/7/2012 -- 09:03:26 - <Info> - Fast log output wrote 687249 alerts
20/7/2012 -- 09:03:26 - <Info> - HTTP logger logged 8 requests
20/7/2012 -- 09:03:26 - <Info> - cleaning up signature grouping structure... complete
19Emulex Confidential - © 2012 Emulex Corporation 19Emulex© Corporation 2012
FastStack Sniffer10G – Summary
Key enablers for:– Network surveillance & monitoring– Intrusion detection & protection – Network performance analysis
Provides:– Streamlined integration – Line rate lossless packet capture and injection – Leverages 10GbE network infrastructure– Cost effective deployment of robust network monitoring
20Emulex Confidential - © 2012 Emulex Corporation 20Emulex© Corporation 2012
Resources on Emulex.com
Product pages– Product landing pages
Resources– Datasheets– FastStack Sniffer10G solution– Competitive assessment
21Emulex Confidential - © 2012 Emulex Corporation 21Emulex© Corporation 2012
Sold through Tier 1 OEMs: LOM, NIC, UCNA form factors
#1 in 10GbE worldwide port shipments*
Network SolutionsStorage Solutions
9th Generation Fibre Channel Technology
Over 12 million adapter ports installed world wide
Bullet-proof driver stack
Backward compatibility
Rock-solid reliability
Superior management capabilities
High Performance Network Solutions
Optimized to meet the requirements of vertical markets:
Low latency
Lossless packet capture
Video/content delivery
Versatile and scalable
One adapter, multi-applications
Putting It All Together One Company
* Crehan Research, Server-class Adapter & LOM Market Share Report, 2Q 2012 (Emulex Fiscal Year 2012)
22Emulex Confidential - © 2012 Emulex Corporation 22Emulex© Corporation 2012
Thank You for Participating
Previous Webcast: FastStack Sniffer10G Overview- Sept 6th 2012
For copies of this presentation please send an e-mail to: – [email protected]
Click http://www.emulex.com/company/events/webcasts.html to:– View this webcast– View past webcasts– Register for upcoming webcasts
23Emulex Confidential - © 2012 Emulex Corporation
Q/A