So I appear to have pf_ring installed (via the RPMs) and snort working with it. If I start up a snort instance using a command line similar to the metaflows article (except I'm doing passive instead of inline for the time being):
snort -c /etc/snort/snort.conf -y -i eth0 --daq-dir /usr/local/lib/daq --daq pfring --daq-var clusterid=10 --daq-mode passive I get a status counter "device" created in /proc/net/pf_ring named <pid>-eth0.1. If I watch this file with cat while sending some traffic to the machine, I see the counters increasing, and snort is logging the information. So based on this, it seems that snort is working with pf_ring, which was my "first step" so that's pretty cool. Now I'm trying to figure out how I distribute the load across multiple snort / pf_ring instances. I started up multiple instances of snort, but when I watch the counters it seems that only the one I started last is getting all the traffic. I'm probably missing something in how I start it up, but I'm unsure what. What do I need to tell pf_ring / snort so that they distribute the load across the multiple rings / snorts? Is that what the clusterid=10 means? Is that telling each pf_ring that it's part of the same cluster? I'm still working on understanding how all this works together so if anyone has any thoughts / suggestions that would be great! I'll keep researching and reading and testing on my own as well, thx!
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
