Integrating and Optimizing Suricata with FastStack™ Sniffer10G™

Emulex Technology Webcast Series

Emulex Confidential - © 2012 Emulex Corporation
Emulex© Corporation 2012 1

Logistics

Attendees will be placed on mute during the presentation

Please use the WebEx’s Q&A feature to submit questions at any time

For a copy of this presentation please send an e-mail to:
allen.ordoubadian@emulex.com

Please visit emulex.com/webcasts for list of our upcoming webcasts


TM
FastStack Sniffer10G

For superior network analytics & cyber-security


Agenda

Objective
About Emulex
About Myricom
About Suricata
Installing Sniffer10G
Testing Sniffer10G Installation
Building Suricata with Sniffer10G
Tuning Suricata with Sniffer10G
Q&A


Objective of Today Webinar

Introduction to FastStack Sniffer10G
Demonstrate how to:
– Install FastStack Sniffer10G
– Configure FastStack Sniffer10G
– Test FastStack Sniffer10G
– Link FastStack Sniffer10G to Suricata
– How to utilize different run modes


About Emulex

Emulex solutions are used and offered by the industry’s leading server
and storage OEMs
– An ever-expanding interoperability ecosystem
– High scalability with support for small and large environments
Industry leader in the Fibre Channel storage market
– The performance expected of high demand environments
– Tools to maximize the efficiency of your resources
– Reliability that is second to none
A leader in converged networking solutions, providing enterprise-class
connectivity
– Delivered through OEM server partners
– #1 in 10GbE Worldwide Port Shipments for fiscal year 2012*
– Requests for higher performance solutions for specific vertical markets

* Crehan Research, Server-class Adapter & LOM Market Share Report, 2Q 2012 (Emulex Fiscal Year 2012)


About Myricom

Leading provider of adaptable Ethernet Solutions for vertical markets
requiring extreme performance
Pioneer in HPC – Interconnect technology since 1994
Unique, adaptable hardware and software architecture
One of the first to deliver general-purpose 10GbE adapters
– Processor-based architecture, highly programmable
– Allows for firmware and API development for high performance applications
– Solutions offer performance, time-to-market customer advantages
Low latency networking – low CPU overhead solutions


About Suricata

Open source, next generation intrusion detection and prevention engine
Brings new ideas and technologies to the field, but not intended to
replace or emulate the existing tools in the industry
Suricata is under development by OISF (Open Information Security
Foundation)
Suricata is part of and funded by:
– The department of Homeland Security's Directorate for Science and
Technology HOST program (Homeland Open Security Technology)
– The Navy's Space and Naval Warfare Systems Command (SPAWAR)
– The members of the OISF Consortium
The current version is 1.3.1 for Linux, Mac, FreeBSD, Unix & Windows


FastStack Sniffer10G Overview
Lossless packet capture/injection enabling superior network analytics
Leverages Emulex OCe12000-D family of 10GbE network adapters

High Performance Flexibility Cost Effective

- Kernel by-pass architecture - Enables Deep Packet - No specialized capture
Inspection (DPI) hardware (ie: Appliance)
- Delivers line rate, loss less
packet capture and injection - Multi-core awareness
- In “Sniffer Mode”, packet-
without introducing latency
- Flexibility of how data can rate sensitive firmware
- Provides lossless packet be analyzed runs on MIPS-like
capture regardless of packet processor on the adapter
size - Supports packet capture
and injection at
14.88Mpps (Million - Leverages industry
packets per second) standard 10GbE


FastStack Sniffer10G and Suricata


Installing Sniffer10G on Linux

Download the latest build of Sniffer10G to your system
To install, type:
– # rpm -i myri_snf-2.0.6.50271-2831.x86_64.rpm
The key items can be found in :
– /opt/snf
To Confirm your adapter has a current license for Sniffer10G, type:
– # /opt/snf/sbin/myri_license

Indicates licenses are active


Starting FastStack Sniffer10G

To start FastStack Sniffer10G, type:
– # myri_start_stop restart
– Note: While start can be used, if Sniffer10G is already running a restart will
cause a stop/start cycle
The following will appear:
Restarting Sniffer10G
Removing myri_snf
Loading myri_snf
To confirm OS is running FastStack Sniffer10G, type:
– # dmesg | grep myri_snf | tail -5

Indicates links with Sniffer10G
are active

Testing Sniffer10G

Requires two systems
– System One: runs simple receive program – eventually will have Suricata
– System Two: runs FastStack Sniffer10G’s Packet Generator
To generate packets, type:
– # /opt/snf/bin/tests/snf_simple_recv -p0 -t 1 Server 1

– # /opt/snf/bin/tests/snf_pktgen -p0 -s 60 -n 50000000 Server 2

– Output for Server 1 will read:

System 2 is injecting packets at
wire rate


How to Install & Build Suricata with Sniffer10G

Type:
– # wget http://www.openinfosecfoundation.org/download/suricata-1.3.tar.gz
– # yum install file-devel
– # tar -xvzf suricata-1.3.tar.gz
– # mv suricata-1.3 suricata
– # cd suricata
– #./configure --with-libpcap-includes=/opt/snf/include/ --with-libpcap-
libraries=/opt/snf/lib/ --prefix=/usr --sysconfdir=/etc --localstatedir=/var
– # make
– # make install-full
– # cp classification.config /etc/suricata
– # cp reference.config /etc/suricata
– # cp suricata.yaml /etc/suricata


Steps Validating Suricata Build w/ Sniffer10G

To confirm the location of where Suricata will run, type:
– # which suricata
Output will read:
/usr/local/bin/suricata

To confirm that Suricata is using Sniffer10G libraries, type:
– # ldd /usr/local/bin/suricata | grep snf
Output will read:
libpcap.so.1 => /opt/snf/lib/libpcap.so.1 (0x00007f4359199000)
libsnf.so.0 => /opt/snf/lib/libsnf.so.0 (0x00007f4358b53000)


Configuring & Running Suricata w/ Sniffer10G

The Suricata configuration file is:
– /etc/suricata/suricata.yaml
Several changes are required to the components of this file:
– Locate the “pcap:” section
– Make following edits to “pcap”:
• interface: eth4
• threads: 16
• buffer-size: 512kb
• checksum-checks: no
To start Suricata on the first system, type:
– # SNF_NUM_RINGS=16 SNF_FLAGS=0x1 suricata -c/etc/suricata/suricata.yaml
-i eth4--runmode=workers


Testing Suricata w/ Sniffer10G

Obtain sample network capture file for server 2.
– # wget https://www.openpacket.org/capture/grab/54

To inject the sample network traffic packet capture file from Server 2
into Suricata (server 1), type:
– # /opt/snf/bin/tests/snf_replay -v -p0 -R 0.18 -i 2500 54
Output will read:
Thread 0> Packets: 5122500
Thread 0> Bytes: 1660497500
Thread 0> Rate: 0.27 Mpps
Thread 0> Throughput: 0.695 Gbps in 19.122 secs

To confirm the arrival processing of packets, Stop Suricata


Testing Suricata w/ Sniffer10G (cont’d)
all 16 packet processing threads, 3 management threads initialized, engine started.

^C20/7/2012 -- 09:03:25 - <Info> - stopping engine, waiting for outstanding packets

20/7/2012 -- 09:03:25 - <Info> - all packets processed by threads, stopping engine

20/7/2012 -- 09:03:25 - <Info> - 0 new flows, 0 established flows were timed out, 0 flows in closed state

20/7/2012 -- 09:03:26 - <Info> - time elapsed 31.245s

20/7/2012 -- 09:03:26 - <Info> - (RxPcapp4p11) Packets 195000, bytes 34637500

20/7/2012 -- 09:03:26 - <Info> - (RxPcapp4p11) Pcap Total:195000 Recv:195000 Drop:0 (0.0%).

20/7/2012 -- 09:03:26 - <Info> - Stream TCP processed 172500 TCP packets

20/7/2012 -- 09:03:26 - <Info> - Fast log output wrote 687249 alerts

20/7/2012 -- 09:03:26 - <Info> - Alert unified2 module wrote 687249 alerts

20/7/2012 -- 09:03:26 - <Info> - HTTP logger logged 14 requests







...





20/7/2012 -- 09:03:26 - <Info> - cleaning up signature grouping structure... complete Emulex© © 2012 Emulex Corporation
Emulex Confidential - Corporation 2012 18

FastStack Sniffer10G – Summary

Key enablers for:
– Network surveillance & monitoring
– Intrusion detection & protection
– Network performance analysis

Provides:
– Streamlined integration
– Line rate lossless packet capture and injection
– Leverages 10GbE network infrastructure
– Cost effective deployment of robust network monitoring


Resources on Emulex.com

Product pages
– Product landing pages
Resources
– Datasheets
– FastStack Sniffer10G solution
– Competitive assessment


Putting It All Together
One Company

Storage Solutions Network Solutions High Performance
Network Solutions

9th Generation Fibre Channel Sold through Tier 1 OEMs: Optimized to meet the
Technology LOM, NIC, UCNA form requirements of vertical
Over 12 million adapter ports factors markets:
installed world wide #1 in 10GbE worldwide port Low latency
Bullet-proof driver stack shipments* Lossless packet capture
Backward compatibility Video/content delivery
Rock-solid reliability Versatile and scalable
Superior management One adapter, multi-
applications
capabilities

* Crehan Research, Server-class Adapter & LOM Market Share Report, 2Q 2012 (Emulex Fiscal Year 2012)

Thank You for Participating

Previous Webcast: FastStack Sniffer10G Overview- Sept 6th 2012

For copies of this presentation please send an e-mail to:
– allen.ordoubadian@emulex.com

Click http://www.emulex.com/company/events/webcasts.html to:
– View this webcast
– View past webcasts
– Register for upcoming webcasts


Integrating and Optimizing Suricata with FastStack™ Sniffer10G™

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Integrating and Optimizing Suricata with FastStack™ Sniffer10G™

Semelhante a Integrating and Optimizing Suricata with FastStack™ Sniffer10G™ (20)

Mais de Emulex Corporation

Mais de Emulex Corporation (20)

Último

Último (20)

Integrating and Optimizing Suricata with FastStack™ Sniffer10G™