• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Integrating and Optimizing Suricata with FastStack™ Sniffer10G™
 

Integrating and Optimizing Suricata with FastStack™ Sniffer10G™

on

  • 1,640 views

Join the Open Information Security Foundation (OSIF), Myricom and Emulex to learn about deploying and fine tuning Suricata to create an effective IDS/IPS system.

Join the Open Information Security Foundation (OSIF), Myricom and Emulex to learn about deploying and fine tuning Suricata to create an effective IDS/IPS system.

Statistics

Views

Total Views
1,640
Views on SlideShare
1,639
Embed Views
1

Actions

Likes
0
Downloads
15
Comments
0

1 Embed 1

https://twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Integrating and Optimizing Suricata with FastStack™ Sniffer10G™ Integrating and Optimizing Suricata with FastStack™ Sniffer10G™ Presentation Transcript

    • Emulex Technology Webcast Series Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 1
    • Logistics Attendees will be placed on mute during the presentation Please use the WebEx’s Q&A feature to submit questions at any time For a copy of this presentation please send an e-mail to: allen.ordoubadian@emulex.com Please visit emulex.com/webcasts for list of our upcoming webcasts Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 2
    • TMFastStack Sniffer10GFor superior network analytics & cyber-security Emulex Confidential - © 2012 Emulex Corporation
    • Agenda Objective About Emulex About Myricom About Suricata Installing Sniffer10G Testing Sniffer10G Installation Building Suricata with Sniffer10G Tuning Suricata with Sniffer10G Q&A Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 4
    • Objective of Today Webinar Introduction to FastStack Sniffer10G Demonstrate how to: – Install FastStack Sniffer10G – Configure FastStack Sniffer10G – Test FastStack Sniffer10G – Link FastStack Sniffer10G to Suricata – How to utilize different run modes Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 5
    • About Emulex Emulex solutions are used and offered by the industry’s leading server and storage OEMs – An ever-expanding interoperability ecosystem – High scalability with support for small and large environments Industry leader in the Fibre Channel storage market – The performance expected of high demand environments – Tools to maximize the efficiency of your resources – Reliability that is second to none A leader in converged networking solutions, providing enterprise-class connectivity – Delivered through OEM server partners – #1 in 10GbE Worldwide Port Shipments for fiscal year 2012* – Requests for higher performance solutions for specific vertical markets * Crehan Research, Server-class Adapter & LOM Market Share Report, 2Q 2012 (Emulex Fiscal Year 2012) Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 6
    • About Myricom Leading provider of adaptable Ethernet Solutions for vertical markets requiring extreme performance Pioneer in HPC – Interconnect technology since 1994 Unique, adaptable hardware and software architecture One of the first to deliver general-purpose 10GbE adapters – Processor-based architecture, highly programmable – Allows for firmware and API development for high performance applications – Solutions offer performance, time-to-market customer advantages Low latency networking – low CPU overhead solutions Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 7
    • About Suricata Open source, next generation intrusion detection and prevention engine Brings new ideas and technologies to the field, but not intended to replace or emulate the existing tools in the industry Suricata is under development by OISF (Open Information Security Foundation) Suricata is part of and funded by: – The department of Homeland Securitys Directorate for Science and Technology HOST program (Homeland Open Security Technology) – The Navys Space and Naval Warfare Systems Command (SPAWAR) – The members of the OISF Consortium The current version is 1.3.1 for Linux, Mac, FreeBSD, Unix & Windows Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 8
    • FastStack Sniffer10G Overview Lossless packet capture/injection enabling superior network analytics Leverages Emulex OCe12000-D family of 10GbE network adapters High Performance Flexibility Cost Effective - Kernel by-pass architecture - Enables Deep Packet - No specialized capture Inspection (DPI) hardware (ie: Appliance) - Delivers line rate, loss less packet capture and injection - Multi-core awareness - In “Sniffer Mode”, packet- without introducing latency - Flexibility of how data can rate sensitive firmware - Provides lossless packet be analyzed runs on MIPS-like capture regardless of packet processor on the adapter size - Supports packet capture and injection at 14.88Mpps (Million - Leverages industry packets per second) standard 10GbE Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 9
    • FastStack Sniffer10G and Suricata Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 10
    • Installing Sniffer10G on Linux Download the latest build of Sniffer10G to your system To install, type: – # rpm -i myri_snf-2.0.6.50271-2831.x86_64.rpm The key items can be found in : – /opt/snf To Confirm your adapter has a current license for Sniffer10G, type: – # /opt/snf/sbin/myri_license Indicates licenses are active Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 11
    • Starting FastStack Sniffer10G To start FastStack Sniffer10G, type: – # myri_start_stop restart – Note: While start can be used, if Sniffer10G is already running a restart will cause a stop/start cycle The following will appear: Restarting Sniffer10G Removing myri_snf Loading myri_snf To confirm OS is running FastStack Sniffer10G, type: – # dmesg | grep myri_snf | tail -5 Indicates links with Sniffer10G are active Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 12
    • Testing Sniffer10G Requires two systems – System One: runs simple receive program – eventually will have Suricata – System Two: runs FastStack Sniffer10G’s Packet Generator To generate packets, type: – # /opt/snf/bin/tests/snf_simple_recv -p0 -t 1 Server 1 – # /opt/snf/bin/tests/snf_pktgen -p0 -s 60 -n 50000000 Server 2 – Output for Server 1 will read:System 2 is injecting packets at wire rate Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 13
    • How to Install & Build Suricata with Sniffer10G Type: – # wget http://www.openinfosecfoundation.org/download/suricata-1.3.tar.gz – # yum install file-devel – # tar -xvzf suricata-1.3.tar.gz – # mv suricata-1.3 suricata – # cd suricata – #./configure --with-libpcap-includes=/opt/snf/include/ --with-libpcap- libraries=/opt/snf/lib/ --prefix=/usr --sysconfdir=/etc --localstatedir=/var – # make – # make install-full – # cp classification.config /etc/suricata – # cp reference.config /etc/suricata – # cp suricata.yaml /etc/suricata Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 14
    • Steps Validating Suricata Build w/ Sniffer10G To confirm the location of where Suricata will run, type: – # which suricata Output will read: /usr/local/bin/suricata To confirm that Suricata is using Sniffer10G libraries, type: – # ldd /usr/local/bin/suricata | grep snf Output will read: libpcap.so.1 => /opt/snf/lib/libpcap.so.1 (0x00007f4359199000) libsnf.so.0 => /opt/snf/lib/libsnf.so.0 (0x00007f4358b53000) Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 15
    • Configuring & Running Suricata w/ Sniffer10G The Suricata configuration file is: – /etc/suricata/suricata.yaml Several changes are required to the components of this file: – Locate the “pcap:” section – Make following edits to “pcap”: • interface: eth4 • threads: 16 • buffer-size: 512kb • checksum-checks: no To start Suricata on the first system, type: – # SNF_NUM_RINGS=16 SNF_FLAGS=0x1 suricata -c/etc/suricata/suricata.yaml -i eth4--runmode=workers Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 16
    • Testing Suricata w/ Sniffer10G Obtain sample network capture file for server 2. – # wget https://www.openpacket.org/capture/grab/54 To inject the sample network traffic packet capture file from Server 2 into Suricata (server 1), type: – # /opt/snf/bin/tests/snf_replay -v -p0 -R 0.18 -i 2500 54 Output will read: Thread 0> Packets: 5122500 Thread 0> Bytes: 1660497500 Thread 0> Rate: 0.27 Mpps Thread 0> Throughput: 0.695 Gbps in 19.122 secs To confirm the arrival processing of packets, Stop Suricata Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 17
    • Testing Suricata w/ Sniffer10G (cont’d)all 16 packet processing threads, 3 management threads initialized, engine started.^C20/7/2012 -- 09:03:25 - <Info> - stopping engine, waiting for outstanding packets20/7/2012 -- 09:03:25 - <Info> - all packets processed by threads, stopping engine20/7/2012 -- 09:03:25 - <Info> - 0 new flows, 0 established flows were timed out, 0 flows in closed state20/7/2012 -- 09:03:26 - <Info> - time elapsed 31.245s20/7/2012 -- 09:03:26 - <Info> - (RxPcapp4p11) Packets 195000, bytes 3463750020/7/2012 -- 09:03:26 - <Info> - (RxPcapp4p11) Pcap Total:195000 Recv:195000 Drop:0 (0.0%).20/7/2012 -- 09:03:26 - <Info> - Stream TCP processed 172500 TCP packets20/7/2012 -- 09:03:26 - <Info> - Fast log output wrote 687249 alerts20/7/2012 -- 09:03:26 - <Info> - Alert unified2 module wrote 687249 alerts20/7/2012 -- 09:03:26 - <Info> - HTTP logger logged 14 requests20/7/2012 -- 09:03:26 - <Info> - (RxPcapp4p12) Packets 190000, bytes 3203250020/7/2012 -- 09:03:26 - <Info> - (RxPcapp4p12) Pcap Total:190000 Recv:190000 Drop:0 (0.0%).20/7/2012 -- 09:03:26 - <Info> - Stream TCP processed 155000 TCP packets20/7/2012 -- 09:03:26 - <Info> - Fast log output wrote 687249 alerts20/7/2012 -- 09:03:26 - <Info> - HTTP logger logged 3 requests20/7/2012 -- 09:03:26 - <Info> - (RxPcapp4p13) Packets 205000, bytes 50245000...20/7/2012 -- 09:03:26 - <Info> - (RxPcapp4p116) Pcap Total:417500 Recv:417500 Drop:0 (0.0%).20/7/2012 -- 09:03:26 - <Info> - Stream TCP processed 392500 TCP packets20/7/2012 -- 09:03:26 - <Info> - Fast log output wrote 687249 alerts20/7/2012 -- 09:03:26 - <Info> - HTTP logger logged 8 requests20/7/2012 -- 09:03:26 - <Info> - cleaning up signature grouping structure... complete Emulex© © 2012 Emulex Corporation Emulex Confidential - Corporation 2012 18
    • FastStack Sniffer10G – Summary Key enablers for: – Network surveillance & monitoring – Intrusion detection & protection – Network performance analysis Provides: – Streamlined integration – Line rate lossless packet capture and injection – Leverages 10GbE network infrastructure – Cost effective deployment of robust network monitoring Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 19
    • Resources on Emulex.com Product pages – Product landing pages Resources – Datasheets – FastStack Sniffer10G solution – Competitive assessment Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 20
    • Putting It All TogetherOne CompanyStorage Solutions Network Solutions High Performance Network Solutions9th Generation Fibre Channel Sold through Tier 1 OEMs: Optimized to meet theTechnology LOM, NIC, UCNA form requirements of verticalOver 12 million adapter ports factors markets:installed world wide #1 in 10GbE worldwide port Low latencyBullet-proof driver stack shipments* Lossless packet captureBackward compatibility Video/content deliveryRock-solid reliability Versatile and scalableSuperior management One adapter, multi- applicationscapabilities * Crehan Research, Server-class Adapter & LOM Market Share Report, 2Q 2012 (Emulex Fiscal Year 2012) Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 21
    • Thank You for Participating Previous Webcast: FastStack Sniffer10G Overview- Sept 6th 2012 For copies of this presentation please send an e-mail to: – allen.ordoubadian@emulex.com Click http://www.emulex.com/company/events/webcasts.html to: – View this webcast – View past webcasts – Register for upcoming webcasts Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 22
    • Q/A Emulex Confidential - © 2012 Emulex Corporation 23