Educause Security Discussion mailing list archives
Re: bonded endace + snort
From: Mike Lococo <mike.lococo () NYU EDU>
Date: Fri, 29 Apr 2011 18:09:27 -0400
... or you want to do stream reassembly
I think what you're saying here is that there is single-link which has been subdivided somehow. Either you have the incoming and outgoing portions of a tap on separate ports, or it's been load-balanced in some non-session-aware way. And you're recombining the traffic so that snort sees complete sessions instead of broken-up snippets of traffic. Yes?
Most shops that I'm aware of with a traffic amount that can be handled with a single-CPU/single-snort-instance (less than about 300mbits/sec) run on commodity network cards instead of multiple dedicated capture-cards.5) you are operating at multi-gigabit traffic levels
You are successfully pushing multi-gigabits/second of traffic through a single instance of snort running on a single-cpu without substantial packet-loss? Or am I misunderstanding? Sorry to be dense. I'm just genuinely interested in what the DAQ-module does and having trouble following. I have a multi-gig setup of my own that does have multiple-ports that are split in a non-session aware way, so the module sounds somewhat interesting. I'm familiar with bonding, with ids-load-balancing, with Endace hardware, and with snort. I'm just having trouble understanding where this DAQ module might fit into a snort architecture. I suspect others on-list may share my confusion. Best Regards, Mike Lococo
Current thread:
- bonded endace + snort Jeff Murphy (Apr 29)
- Re: bonded endace + snort Mike Lococo (Apr 29)
- Re: bonded endace + snort Jeff Murphy (Apr 29)
- Re: bonded endace + snort Mike Lococo (Apr 29)
- Re: bonded endace + snort jeff murphy (Apr 29)
- Re: bonded endace + snort Jeff Murphy (Apr 29)
- Re: bonded endace + snort Mike Lococo (Apr 29)