Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
If you have multiple CPU cores, Setup will automatically ask you how many PF_RING instances you'd like for Snort/Suricata (IDS engine processes) and Bro and will tell you how to adjust after the fact. As of securityonion-setup - 20120912-0ubuntu0securityonion201, Setup should analyze your system and recommend a certain number of PF_RING instances:
If you want to change the number of PF_RING instances after running Setup, you can do the following.
- Stop sensor processes:
/etc/nsm/$HOSTNAME-$INTERFACE/sensor.confand change the
IDS_LB_PROCSvariable to desired number of cores.
- Start sensor processes:
If running Snort, the script automatically spawns $IDS_LB_PROCS instances of Snort (using PF_RING), barnyard2, and snort_agent.
If running Suricata, the script automatically copies $IDS_LB_PROCS into suricata.yaml and then Suricata spins up the PF_RING instances itself.
For Bro, you would do the following:
- Stop bro:
sudo nsm_sensor_ps-stop --only-bro
/opt/bro/etc/node.cfgand change the
lb_procsvariable to the desired number of cores.
- Start bro:
sudo nsm_sensor_ps-start --only-bro
If you've already run Setup and want to modify min_num_slots, you can manually create/edit
For example, to increase min_num_slots to 65534, do the following:
echo "options pf_ring transparent_mode=0 min_num_slots=65534" | sudo tee /etc/modprobe.d/pf_ring.conf
/etc/modprobe.d/pf_ring.conf, you'll need to reload the PF_RING module as follows (or just reboot):
sudo rmmod pf_ring
Please see the Upgrade page for notes on updating the PF_RING kernel module.