Emulex Technology Webcast Series                Emulex Confidential - © 2012 Emulex Corporation                           ...
Logistics  Attendees will be placed on mute during the presentation  Please use the WebEx’s Q&A feature to submit question...
TMFastStack Sniffer10GFor superior network analytics & cyber-security                     Emulex Confidential - © 2012 Emu...
Agenda    Objective    About Emulex    About Myricom    About Suricata    Installing Sniffer10G    Testing Sniffer10G Inst...
Objective of Today Webinar  Introduction to FastStack Sniffer10G  Demonstrate how to:   –   Install FastStack Sniffer10G  ...
About Emulex  Emulex solutions are used and offered by the industry’s leading server  and storage OEMs   – An ever-expandi...
About Myricom  Leading provider of adaptable Ethernet Solutions for vertical markets  requiring extreme performance  Pione...
About Suricata  Open source, next generation intrusion detection and prevention engine  Brings new ideas and technologies ...
FastStack Sniffer10G Overview  Lossless packet capture/injection enabling superior network analytics  Leverages Emulex OCe...
FastStack Sniffer10G and Suricata                       Emulex Confidential - © 2012 Emulex Corporation                   ...
Installing Sniffer10G on Linux  Download the latest build of Sniffer10G to your system  To install, type:   – # rpm -i myr...
Starting FastStack Sniffer10G  To start FastStack Sniffer10G, type:   – # myri_start_stop restart   – Note: While start ca...
Testing Sniffer10G      Requires two systems        – System One: runs simple receive program – eventually will have Suric...
How to Install & Build Suricata with Sniffer10G  Type:   – # wget http://www.openinfosecfoundation.org/download/suricata-1...
Steps Validating Suricata Build w/ Sniffer10G  To confirm the location of where Suricata will run, type:   – # which suric...
Configuring & Running Suricata w/ Sniffer10G  The Suricata configuration file is:   – /etc/suricata/suricata.yaml  Several...
Testing Suricata w/ Sniffer10G  Obtain sample network capture file for server 2.   – # wget https://www.openpacket.org/cap...
Testing Suricata w/ Sniffer10G (cont’d)all 16 packet processing threads, 3 management threads initialized, engine started....
FastStack Sniffer10G – Summary  Key enablers for:   – Network surveillance & monitoring   – Intrusion detection & protecti...
Resources on Emulex.com  Product pages   – Product landing pages  Resources   – Datasheets   – FastStack Sniffer10G soluti...
Putting It All TogetherOne CompanyStorage Solutions                             Network Solutions                         ...
Thank You for Participating  Previous Webcast: FastStack Sniffer10G Overview- Sept 6th 2012  For copies of this presentati...
Q/A      Emulex Confidential - © 2012 Emulex Corporation   23
Upcoming SlideShare
Loading in …5
×

Integrating and Optimizing Suricata with FastStack™ Sniffer10G™

2,252 views

Published on

Join the Open Information Security Foundation (OSIF), Myricom and Emulex to learn about deploying and fine tuning Suricata to create an effective IDS/IPS system.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,252
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
29
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Integrating and Optimizing Suricata with FastStack™ Sniffer10G™

  1. 1. Emulex Technology Webcast Series Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 1
  2. 2. Logistics Attendees will be placed on mute during the presentation Please use the WebEx’s Q&A feature to submit questions at any time For a copy of this presentation please send an e-mail to: allen.ordoubadian@emulex.com Please visit emulex.com/webcasts for list of our upcoming webcasts Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 2
  3. 3. TMFastStack Sniffer10GFor superior network analytics & cyber-security Emulex Confidential - © 2012 Emulex Corporation
  4. 4. Agenda Objective About Emulex About Myricom About Suricata Installing Sniffer10G Testing Sniffer10G Installation Building Suricata with Sniffer10G Tuning Suricata with Sniffer10G Q&A Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 4
  5. 5. Objective of Today Webinar Introduction to FastStack Sniffer10G Demonstrate how to: – Install FastStack Sniffer10G – Configure FastStack Sniffer10G – Test FastStack Sniffer10G – Link FastStack Sniffer10G to Suricata – How to utilize different run modes Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 5
  6. 6. About Emulex Emulex solutions are used and offered by the industry’s leading server and storage OEMs – An ever-expanding interoperability ecosystem – High scalability with support for small and large environments Industry leader in the Fibre Channel storage market – The performance expected of high demand environments – Tools to maximize the efficiency of your resources – Reliability that is second to none A leader in converged networking solutions, providing enterprise-class connectivity – Delivered through OEM server partners – #1 in 10GbE Worldwide Port Shipments for fiscal year 2012* – Requests for higher performance solutions for specific vertical markets * Crehan Research, Server-class Adapter & LOM Market Share Report, 2Q 2012 (Emulex Fiscal Year 2012) Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 6
  7. 7. About Myricom Leading provider of adaptable Ethernet Solutions for vertical markets requiring extreme performance Pioneer in HPC – Interconnect technology since 1994 Unique, adaptable hardware and software architecture One of the first to deliver general-purpose 10GbE adapters – Processor-based architecture, highly programmable – Allows for firmware and API development for high performance applications – Solutions offer performance, time-to-market customer advantages Low latency networking – low CPU overhead solutions Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 7
  8. 8. About Suricata Open source, next generation intrusion detection and prevention engine Brings new ideas and technologies to the field, but not intended to replace or emulate the existing tools in the industry Suricata is under development by OISF (Open Information Security Foundation) Suricata is part of and funded by: – The department of Homeland Securitys Directorate for Science and Technology HOST program (Homeland Open Security Technology) – The Navys Space and Naval Warfare Systems Command (SPAWAR) – The members of the OISF Consortium The current version is 1.3.1 for Linux, Mac, FreeBSD, Unix & Windows Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 8
  9. 9. FastStack Sniffer10G Overview Lossless packet capture/injection enabling superior network analytics Leverages Emulex OCe12000-D family of 10GbE network adapters High Performance Flexibility Cost Effective - Kernel by-pass architecture - Enables Deep Packet - No specialized capture Inspection (DPI) hardware (ie: Appliance) - Delivers line rate, loss less packet capture and injection - Multi-core awareness - In “Sniffer Mode”, packet- without introducing latency - Flexibility of how data can rate sensitive firmware - Provides lossless packet be analyzed runs on MIPS-like capture regardless of packet processor on the adapter size - Supports packet capture and injection at 14.88Mpps (Million - Leverages industry packets per second) standard 10GbE Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 9
  10. 10. FastStack Sniffer10G and Suricata Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 10
  11. 11. Installing Sniffer10G on Linux Download the latest build of Sniffer10G to your system To install, type: – # rpm -i myri_snf-2.0.6.50271-2831.x86_64.rpm The key items can be found in : – /opt/snf To Confirm your adapter has a current license for Sniffer10G, type: – # /opt/snf/sbin/myri_license Indicates licenses are active Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 11
  12. 12. Starting FastStack Sniffer10G To start FastStack Sniffer10G, type: – # myri_start_stop restart – Note: While start can be used, if Sniffer10G is already running a restart will cause a stop/start cycle The following will appear: Restarting Sniffer10G Removing myri_snf Loading myri_snf To confirm OS is running FastStack Sniffer10G, type: – # dmesg | grep myri_snf | tail -5 Indicates links with Sniffer10G are active Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 12
  13. 13. Testing Sniffer10G Requires two systems – System One: runs simple receive program – eventually will have Suricata – System Two: runs FastStack Sniffer10G’s Packet Generator To generate packets, type: – # /opt/snf/bin/tests/snf_simple_recv -p0 -t 1 Server 1 – # /opt/snf/bin/tests/snf_pktgen -p0 -s 60 -n 50000000 Server 2 – Output for Server 1 will read:System 2 is injecting packets at wire rate Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 13
  14. 14. How to Install & Build Suricata with Sniffer10G Type: – # wget http://www.openinfosecfoundation.org/download/suricata-1.3.tar.gz – # yum install file-devel – # tar -xvzf suricata-1.3.tar.gz – # mv suricata-1.3 suricata – # cd suricata – #./configure --with-libpcap-includes=/opt/snf/include/ --with-libpcap- libraries=/opt/snf/lib/ --prefix=/usr --sysconfdir=/etc --localstatedir=/var – # make – # make install-full – # cp classification.config /etc/suricata – # cp reference.config /etc/suricata – # cp suricata.yaml /etc/suricata Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 14
  15. 15. Steps Validating Suricata Build w/ Sniffer10G To confirm the location of where Suricata will run, type: – # which suricata Output will read: /usr/local/bin/suricata To confirm that Suricata is using Sniffer10G libraries, type: – # ldd /usr/local/bin/suricata | grep snf Output will read: libpcap.so.1 => /opt/snf/lib/libpcap.so.1 (0x00007f4359199000) libsnf.so.0 => /opt/snf/lib/libsnf.so.0 (0x00007f4358b53000) Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 15
  16. 16. Configuring & Running Suricata w/ Sniffer10G The Suricata configuration file is: – /etc/suricata/suricata.yaml Several changes are required to the components of this file: – Locate the “pcap:” section – Make following edits to “pcap”: • interface: eth4 • threads: 16 • buffer-size: 512kb • checksum-checks: no To start Suricata on the first system, type: – # SNF_NUM_RINGS=16 SNF_FLAGS=0x1 suricata -c/etc/suricata/suricata.yaml -i eth4--runmode=workers Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 16
  17. 17. Testing Suricata w/ Sniffer10G Obtain sample network capture file for server 2. – # wget https://www.openpacket.org/capture/grab/54 To inject the sample network traffic packet capture file from Server 2 into Suricata (server 1), type: – # /opt/snf/bin/tests/snf_replay -v -p0 -R 0.18 -i 2500 54 Output will read: Thread 0> Packets: 5122500 Thread 0> Bytes: 1660497500 Thread 0> Rate: 0.27 Mpps Thread 0> Throughput: 0.695 Gbps in 19.122 secs To confirm the arrival processing of packets, Stop Suricata Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 17
  18. 18. Testing Suricata w/ Sniffer10G (cont’d)all 16 packet processing threads, 3 management threads initialized, engine started.^C20/7/2012 -- 09:03:25 - <Info> - stopping engine, waiting for outstanding packets20/7/2012 -- 09:03:25 - <Info> - all packets processed by threads, stopping engine20/7/2012 -- 09:03:25 - <Info> - 0 new flows, 0 established flows were timed out, 0 flows in closed state20/7/2012 -- 09:03:26 - <Info> - time elapsed 31.245s20/7/2012 -- 09:03:26 - <Info> - (RxPcapp4p11) Packets 195000, bytes 3463750020/7/2012 -- 09:03:26 - <Info> - (RxPcapp4p11) Pcap Total:195000 Recv:195000 Drop:0 (0.0%).20/7/2012 -- 09:03:26 - <Info> - Stream TCP processed 172500 TCP packets20/7/2012 -- 09:03:26 - <Info> - Fast log output wrote 687249 alerts20/7/2012 -- 09:03:26 - <Info> - Alert unified2 module wrote 687249 alerts20/7/2012 -- 09:03:26 - <Info> - HTTP logger logged 14 requests20/7/2012 -- 09:03:26 - <Info> - (RxPcapp4p12) Packets 190000, bytes 3203250020/7/2012 -- 09:03:26 - <Info> - (RxPcapp4p12) Pcap Total:190000 Recv:190000 Drop:0 (0.0%).20/7/2012 -- 09:03:26 - <Info> - Stream TCP processed 155000 TCP packets20/7/2012 -- 09:03:26 - <Info> - Fast log output wrote 687249 alerts20/7/2012 -- 09:03:26 - <Info> - HTTP logger logged 3 requests20/7/2012 -- 09:03:26 - <Info> - (RxPcapp4p13) Packets 205000, bytes 50245000...20/7/2012 -- 09:03:26 - <Info> - (RxPcapp4p116) Pcap Total:417500 Recv:417500 Drop:0 (0.0%).20/7/2012 -- 09:03:26 - <Info> - Stream TCP processed 392500 TCP packets20/7/2012 -- 09:03:26 - <Info> - Fast log output wrote 687249 alerts20/7/2012 -- 09:03:26 - <Info> - HTTP logger logged 8 requests20/7/2012 -- 09:03:26 - <Info> - cleaning up signature grouping structure... complete Emulex© © 2012 Emulex Corporation Emulex Confidential - Corporation 2012 18
  19. 19. FastStack Sniffer10G – Summary Key enablers for: – Network surveillance & monitoring – Intrusion detection & protection – Network performance analysis Provides: – Streamlined integration – Line rate lossless packet capture and injection – Leverages 10GbE network infrastructure – Cost effective deployment of robust network monitoring Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 19
  20. 20. Resources on Emulex.com Product pages – Product landing pages Resources – Datasheets – FastStack Sniffer10G solution – Competitive assessment Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 20
  21. 21. Putting It All TogetherOne CompanyStorage Solutions Network Solutions High Performance Network Solutions9th Generation Fibre Channel Sold through Tier 1 OEMs: Optimized to meet theTechnology LOM, NIC, UCNA form requirements of verticalOver 12 million adapter ports factors markets:installed world wide #1 in 10GbE worldwide port Low latencyBullet-proof driver stack shipments* Lossless packet captureBackward compatibility Video/content deliveryRock-solid reliability Versatile and scalableSuperior management One adapter, multi- applicationscapabilities * Crehan Research, Server-class Adapter & LOM Market Share Report, 2Q 2012 (Emulex Fiscal Year 2012) Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 21
  22. 22. Thank You for Participating Previous Webcast: FastStack Sniffer10G Overview- Sept 6th 2012 For copies of this presentation please send an e-mail to: – allen.ordoubadian@emulex.com Click http://www.emulex.com/company/events/webcasts.html to: – View this webcast – View past webcasts – Register for upcoming webcasts Emulex Confidential - © 2012 Emulex Corporation Emulex© Corporation 2012 22
  23. 23. Q/A Emulex Confidential - © 2012 Emulex Corporation 23

×