1Emulex Confidential - © 2012 Emulex Corporation 1Emulex© Corporation 2012

Emulex Technology Webcast Series

2Emulex Confidential - © 2012 Emulex Corporation 2Emulex© Corporation 2012

Logistics

Attendees will be placed on mute during the presentation

Please use the WebEx’s Q&A feature to submit questions at any time

For a copy of this presentation please send an e-mail to:allen.ordoubadian@emulex.com

Please visit emulex.com/webcasts for list of our upcoming webcasts

Emulex Confidential - © 2012 Emulex Corporation

FastStackTM Sniffer10G

For superior network analytics & cyber-security

4Emulex Confidential - © 2012 Emulex Corporation 4Emulex© Corporation 2012

Agenda

Objective

About Emulex

About Myricom

About Suricata

Installing Sniffer10G

Testing Sniffer10G Installation

Building Suricata with Sniffer10G

Tuning Suricata with Sniffer10G

Q & A

5Emulex Confidential - © 2012 Emulex Corporation 5Emulex© Corporation 2012

Objective of Today Webinar

Introduction to FastStack Sniffer10G

Demonstrate how to:– Install FastStack Sniffer10G– Configure FastStack Sniffer10G– Test FastStack Sniffer10G– Link FastStack Sniffer10G to Suricata– How to utilize different run modes

6Emulex Confidential - © 2012 Emulex Corporation 6Emulex© Corporation 2012

About Emulex

Emulex solutions are used and offered by the industry’s leading server and storage OEMs

– An ever-expanding interoperability ecosystem– High scalability with support for small and large environments

Industry leader in the Fibre Channel storage market– The performance expected of high demand environments– Tools to maximize the efficiency of your resources– Reliability that is second to none

A leader in converged networking solutions, providing enterprise-class connectivity

– Delivered through OEM server partners – #1 in 10GbE Worldwide Port Shipments for fiscal year 2012*– Requests for higher performance solutions for specific vertical markets

* Crehan Research, Server-class Adapter & LOM Market Share Report, 2Q 2012 (Emulex Fiscal Year 2012)

7Emulex Confidential - © 2012 Emulex Corporation 7Emulex© Corporation 2012

About Myricom

Leading provider of adaptable Ethernet Solutions for vertical markets requiring extreme performance

Pioneer in HPC – Interconnect technology since 1994

Unique, adaptable hardware and software architecture

One of the first to deliver general-purpose 10GbE adapters– Processor-based architecture, highly programmable– Allows for firmware and API development for high performance applications– Solutions offer performance, time-to-market customer advantages

Low latency networking – low CPU overhead solutions

8Emulex Confidential - © 2012 Emulex Corporation 8Emulex© Corporation 2012

About Suricata

Open source, next generation intrusion detection and prevention engine

Brings new ideas and technologies to the field, but not intended to replace or emulate the existing tools in the industry

Suricata is under development by OISF (Open Information Security Foundation)

Suricata is part of and funded by:– The department of Homeland Security's Directorate for Science and

Technology HOST program (Homeland Open Security Technology)– The Navy's Space and Naval Warfare Systems Command (SPAWAR)– The members of the OISF Consortium

The current version is 1.3.1 for Linux, Mac, FreeBSD, Unix & Windows

9Emulex Confidential - © 2012 Emulex Corporation 9Emulex© Corporation 2012

FastStack Sniffer10G Overview

Lossless packet capture/injection enabling superior network analytics

Leverages Emulex OCe12000-D family of 10GbE network adapters

Flexibility

- Enables Deep Packet Inspection (DPI)

- Multi-core awareness

- Flexibility of how data can be analyzed

- Supports packet capture and injection at 14.88Mpps (Million packets per second)

High Performance

- Kernel by-pass architecture

- Delivers line rate, loss less packet capture and injection without introducing latency

- Provides lossless packet capture regardless of packet size

Cost Effective

- No specialized capture hardware (ie: Appliance)

- In “Sniffer Mode”, packet-rate sensitive firmware runs on MIPS-like processor on the adapter

- Leverages industry standard 10GbE

10Emulex Confidential - © 2012 Emulex Corporation 10Emulex© Corporation 2012

FastStack Sniffer10G and Suricata

BufferBuffer

Workers…

Worker 1Worker n+1

Suricata

Packets

11Emulex Confidential - © 2012 Emulex Corporation 11Emulex© Corporation 2012

Installing Sniffer10G on Linux

Download the latest build of Sniffer10G to your system

To install, type:– # rpm -i myri_snf-2.0.6.50271-2831.x86_64.rpm

The key items can be found in : – /opt/snf

To Confirm your adapter has a current license for Sniffer10G, type:– # /opt/snf/sbin/myri_license

Indicates licenses are active

12Emulex Confidential - © 2012 Emulex Corporation 12Emulex© Corporation 2012

Starting FastStack Sniffer10G

To start FastStack Sniffer10G, type:– # myri_start_stop restart– Note: While start can be used, if Sniffer10G is already running a restart will

cause a stop/start cycle

The following will appear:Restarting Sniffer10GRemoving myri_snfLoading myri_snf

To confirm OS is running FastStack Sniffer10G, type:– # dmesg | grep myri_snf | tail -5

Indicates links with Sniffer10G are active

13Emulex Confidential - © 2012 Emulex Corporation 13Emulex© Corporation 2012

Requires two systems– System One: runs simple receive program – eventually will have Suricata– System Two: runs FastStack Sniffer10G’s Packet Generator

To generate packets, type:– # /opt/snf/bin/tests/snf_simple_recv -p0 -t 1

– # /opt/snf/bin/tests/snf_pktgen -p0 -s 60 -n 50000000

– Output for Server 1 will read:

Testing Sniffer10G

System 2 is injecting packets at wire rate

Server 1

Server 2

14Emulex Confidential - © 2012 Emulex Corporation 14Emulex© Corporation 2012

How to Install & Build Suricata with Sniffer10G

Type:– # wget http://www.openinfosecfoundation.org/download/suricata-1.3.tar.gz– # yum install file-devel– # tar -xvzf suricata-1.3.tar.gz– # mv suricata-1.3 suricata– # cd suricata– #./configure --with-libpcap-includes=/opt/snf/include/ --with-libpcap-

libraries=/opt/snf/lib/ --prefix=/usr --sysconfdir=/etc --localstatedir=/var– # make– # make install-full– # cp classification.config /etc/suricata– # cp reference.config /etc/suricata– # cp suricata.yaml /etc/suricata

15Emulex Confidential - © 2012 Emulex Corporation 15Emulex© Corporation 2012

Steps Validating Suricata Build w/ Sniffer10G

To confirm the location of where Suricata will run, type:– # which suricata

Output will read: /usr/local/bin/suricata

To confirm that Suricata is using Sniffer10G libraries, type:– # ldd /usr/local/bin/suricata | grep snf

Output will read:libpcap.so.1 => /opt/snf/lib/libpcap.so.1 (0x00007f4359199000)libsnf.so.0 => /opt/snf/lib/libsnf.so.0 (0x00007f4358b53000)

16Emulex Confidential - © 2012 Emulex Corporation 16Emulex© Corporation 2012

Configuring & Running Suricata w/ Sniffer10G

The Suricata configuration file is:– /etc/suricata/suricata.yaml

Several changes are required to the components of this file: – Locate the “pcap:” section – Make following edits to “pcap”:

• interface: eth4• threads: 16• buffer-size: 512kb• checksum-checks: no

To start Suricata on the first system, type:– # SNF_NUM_RINGS=16 SNF_FLAGS=0x1 suricata -c/etc/suricata/suricata.yaml

-i eth4--runmode=workers

17Emulex Confidential - © 2012 Emulex Corporation 17Emulex© Corporation 2012

Obtain sample network capture file for server 2.– # wget https://www.openpacket.org/capture/grab/54

To inject the sample network traffic packet capture file from Server 2 into Suricata (server 1), type:

– # /opt/snf/bin/tests/snf_replay -v -p0 -R 0.18 -i 2500 54Output will read:

Thread 0> Packets: 5122500Thread 0> Bytes: 1660497500Thread 0> Rate: 0.27 MppsThread 0> Throughput: 0.695 Gbps in 19.122 secs

To confirm the arrival processing of packets, Stop Suricata

Testing Suricata w/ Sniffer10G

18Emulex Confidential - © 2012 Emulex Corporation 18Emulex© Corporation 2012

Testing Suricata w/ Sniffer10G (cont’d)all 16 packet processing threads, 3 management threads initialized, engine started.

^C20/7/2012 -- 09:03:25 - <Info> - stopping engine, waiting for outstanding packets

20/7/2012 -- 09:03:25 - <Info> - all packets processed by threads, stopping engine

20/7/2012 -- 09:03:25 - <Info> - 0 new flows, 0 established flows were timed out, 0 flows in closed state

20/7/2012 -- 09:03:26 - <Info> - time elapsed 31.245s

20/7/2012 -- 09:03:26 - <Info> - (RxPcapp4p11) Packets 195000, bytes 34637500

20/7/2012 -- 09:03:26 - <Info> - (RxPcapp4p11) Pcap Total:195000 Recv:195000 Drop:0 (0.0%).

20/7/2012 -- 09:03:26 - <Info> - Stream TCP processed 172500 TCP packets

20/7/2012 -- 09:03:26 - <Info> - Fast log output wrote 687249 alerts

20/7/2012 -- 09:03:26 - <Info> - Alert unified2 module wrote 687249 alerts

20/7/2012 -- 09:03:26 - <Info> - HTTP logger logged 14 requests

20/7/2012 -- 09:03:26 - <Info> - (RxPcapp4p12) Packets 190000, bytes 32032500

20/7/2012 -- 09:03:26 - <Info> - (RxPcapp4p12) Pcap Total:190000 Recv:190000 Drop:0 (0.0%).

20/7/2012 -- 09:03:26 - <Info> - Stream TCP processed 155000 TCP packets

20/7/2012 -- 09:03:26 - <Info> - Fast log output wrote 687249 alerts

20/7/2012 -- 09:03:26 - <Info> - HTTP logger logged 3 requests

20/7/2012 -- 09:03:26 - <Info> - (RxPcapp4p13) Packets 205000, bytes 50245000

...

20/7/2012 -- 09:03:26 - <Info> - (RxPcapp4p116) Pcap Total:417500 Recv:417500 Drop:0 (0.0%).

20/7/2012 -- 09:03:26 - <Info> - Stream TCP processed 392500 TCP packets

20/7/2012 -- 09:03:26 - <Info> - Fast log output wrote 687249 alerts

20/7/2012 -- 09:03:26 - <Info> - HTTP logger logged 8 requests

20/7/2012 -- 09:03:26 - <Info> - cleaning up signature grouping structure... complete

19Emulex Confidential - © 2012 Emulex Corporation 19Emulex© Corporation 2012

FastStack Sniffer10G – Summary

Key enablers for:– Network surveillance & monitoring– Intrusion detection & protection – Network performance analysis

Provides:– Streamlined integration – Line rate lossless packet capture and injection – Leverages 10GbE network infrastructure– Cost effective deployment of robust network monitoring

20Emulex Confidential - © 2012 Emulex Corporation 20Emulex© Corporation 2012

Resources on Emulex.com

Product pages– Product landing pages

Resources– Datasheets– FastStack Sniffer10G solution– Competitive assessment

21Emulex Confidential - © 2012 Emulex Corporation 21Emulex© Corporation 2012

Sold through Tier 1 OEMs: LOM, NIC, UCNA form factors

#1 in 10GbE worldwide port shipments*

Network SolutionsStorage Solutions

9th Generation Fibre Channel Technology

Over 12 million adapter ports installed world wide

Bullet-proof driver stack

Backward compatibility

Rock-solid reliability

Superior management capabilities

High Performance Network Solutions

Optimized to meet the requirements of vertical markets:

Low latency

Lossless packet capture

Video/content delivery

Versatile and scalable

One adapter, multi-applications

Putting It All Together One Company

* Crehan Research, Server-class Adapter & LOM Market Share Report, 2Q 2012 (Emulex Fiscal Year 2012)

22Emulex Confidential - © 2012 Emulex Corporation 22Emulex© Corporation 2012

Thank You for Participating

Previous Webcast: FastStack Sniffer10G Overview- Sept 6th 2012

For copies of this presentation please send an e-mail to: – allen.ordoubadian@emulex.com

Click http://www.emulex.com/company/events/webcasts.html to:– View this webcast– View past webcasts– Register for upcoming webcasts

23Emulex Confidential - © 2012 Emulex Corporation

Q/A