Snort mailing list archives
Re: FW: Afpacket daq-2.0.1 snort
From: Jaime Nebrera <jnebrera () redborder org>
Date: Wed, 2 Jul 2014 21:40:16 +0200
Inline El 02/07/2014 20:37, "Anshuman Anil Deshmukh" <anshuman () cybage com> escribió:
The vendor said that it can be done using these two different ways. 1. They have their API to control the NIC (niagara_util -k).
This doesn't tell me much besides probably being Gen 2/3 As to what you mean by control is just to configure, then doesn't mean anything To control I mean trigger bypass mode from software
2. Call the system functions themselves. The source code is with the
driver. They have examples under user_api/examples/module_kick.c under the drivers they have provided.
The vendor have specifically recommended using the 'kick' option. They
said that whenever the snort application fails, the 'kick' can be configured to stop sending heartbeats by which the NIC will go to bypass because of the missed heartbeat. This sounds a lot as a Gen 1 card as the bypass is essentially hardware controlled (power or watchdog) This is not good. In general terms a watchdog is not triggered by first miss, but by a sequence of them (say 3 missed ticks in 5 seconds) Thus the activation is going to be slow, quite slow. If you make watchdog more sensitive is going to be prone to false positives
Looking at the solution that vendor has provided, please let me know
under which Gen exactly would my NIC come. Without looking into the code and without real contact with the hardware I wouldn't put my hand in the fire, but based on the "they suggest to do it through watchdog " I would think is a Gen 1 card Also please comment on the solution if it would be appropriate to use for an inline IPS solution OR you have any other recommendations. For any new project, a Gen 3 card would be a must. Gen 1 is just crap, and Gen 2 is problematic to maintain Of course, in some manufacturers the difference between Gen 2/3 is quite blurry due to the fact they control both the card and the chipset. In this particular case, 2/3 are essentially the same (think for manufacturers like Napatech or Tilera) Also, while Gen coding has become quite standard in the industry, you might see it with a different name. For example, Silicom calls "side driver" for Gen 3 cards As for open source bundles that cover bypass cards interaction I'm not aware of any besides our redBorder project, but officially only supports Silicom cards. If you want to talk about Interface Masters support in redBorder, please email me directly off list Properly controlling when and how to enable the bypass is not hard, but requires quite a bit of init script adaptation Hope it helps. Regards
------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: FW: Afpacket daq-2.0.1 snort Juan Jesus Prieto (Jul 01)
- Re: FW: Afpacket daq-2.0.1 snort Anshuman Anil Deshmukh (Jul 02)
- Re: FW: Afpacket daq-2.0.1 snort Jaime Nebrera (Jul 02)
- Re: FW: Afpacket daq-2.0.1 snort Anshuman Anil Deshmukh (Jul 02)
- Re: FW: Afpacket daq-2.0.1 snort Jaime Nebrera (Jul 02)
- Re: FW: Afpacket daq-2.0.1 snort Juan Jesus Prieto (Jul 02)
- Re: FW: Afpacket daq-2.0.1 snort Randal T. Rioux (Jul 06)
- Re: FW: Afpacket daq-2.0.1 snort Jaime Nebrera (Jul 06)
- Re: FW: Afpacket daq-2.0.1 snort Jaime Nebrera (Jul 02)
- Re: FW: Afpacket daq-2.0.1 snort Anshuman Anil Deshmukh (Jul 02)