Educause Security Discussion mailing list archives
Re: bonded endace + snort
From: Mike Lococo <mike.lococo () NYU EDU>
Date: Fri, 29 Apr 2011 11:58:40 -0400
On 04/29/2011 11:18 AM, Jeff Murphy wrote:
For those who would like to attach snort to multiple Endace cards, but found that you can't bond those cards together, a snort DAQ module was published today that performs pseudo-bonding for you: http://www.snort.org/snort-downloads/external-daq/
It's not clear to me exactly what this is doing. Are these the conditions under which this daq module is helpful? 1) You have 2 or more Endace capture cards in a system. 2) You are not interested or are unable for some reason to run one (or more) snort-process(es) per capture-card in order to take advantage of multiple CPU's. 3) The aggregate traffic from all cards can be processed by a single-snort instance on a single cpu. 4) And so you wish you merge the output of the cards together and process the aggregate with a single snort-instance running on a single cpu, in order to simplify management. Most shops that I'm aware of with a traffic amount that can be handled with a single-CPU/single-snort-instance (less than about 300mbits/sec) run on commodity network cards instead of multiple dedicated capture-cards. Cheers, Mike Lococo
Current thread:
- bonded endace + snort Jeff Murphy (Apr 29)
- Re: bonded endace + snort Mike Lococo (Apr 29)
- Re: bonded endace + snort Jeff Murphy (Apr 29)
- Re: bonded endace + snort Mike Lococo (Apr 29)
- Re: bonded endace + snort jeff murphy (Apr 29)
- Re: bonded endace + snort Jeff Murphy (Apr 29)
- Re: bonded endace + snort Mike Lococo (Apr 29)