Re: FW: Afpacket daq-2.0.1 snort

[Juan Jesus Prieto <jjprieto () redborder org>]

Hi Anshuman,

  Another way to control the bypass feature is monitoring the desired 
processes (e.g. snort) via snmp and launch a trap if the process goes 
away, then also you will need to configure a snmptrapd server to capture 
and process this trap and execute for example the bypass enabling of the 
dual nic.

  We use this techniques and others more advanced to control bypass 
status of LAN-bypass NICs, for example: modified version of pf_ring, 
complex initscript to control bypass enabling/disabling, etc.

Regards.

El 02/07/14 21:40, Jaime Nebrera escribió:
> Inline
>
> El 02/07/2014 20:37, "Anshuman Anil Deshmukh" <anshuman () cybage com 
> <mailto:anshuman () cybage com>> escribió:
> >
> > The vendor said that it can be done using these two different ways.
> >
> > 1. They have their API to control the NIC (niagara_util -k).
>
> This doesn't tell me much besides probably being Gen 2/3 As to what 
> you mean by control is just to configure, then doesn't mean anything
>
> To control I mean trigger bypass mode from software
>
> >
> > 2. Call the system functions themselves. The source code is with the 
> driver. They have examples under user_api/examples/module_kick.c under 
> the drivers they have provided.
> >
> >
> >
> > The vendor have specifically recommended using the 'kick' option. 
> They said that whenever the snort application fails, the 'kick' can be 
> configured to stop sending heartbeats by which the NIC will go to 
> bypass because of the missed heartbeat.
>
> This sounds a lot as a Gen 1 card as the bypass is essentially 
> hardware controlled (power or watchdog)
>
> This is not good. In general terms a watchdog is not triggered by 
> first miss, but by a sequence of them (say 3 missed ticks in 5 
> seconds) Thus the activation is going to be slow, quite slow. If you 
> make watchdog more sensitive is going to be prone to false positives
>
> > Looking at the solution that vendor has provided, please let me know 
> under which Gen exactly would my NIC come.
>
> Without looking into the code and without real contact with the 
> hardware I wouldn't put my hand in the fire, but based on the "they 
> suggest to do it through watchdog " I would think is a Gen 1 card
>
> Also please comment on the solution if it would be appropriate to use 
> for an inline IPS solution OR you have any other recommendations.
>
> For any new project, a Gen 3 card would be a must. Gen 1 is just crap, 
> and Gen 2 is problematic to maintain
>
> Of course, in some manufacturers the difference between Gen 2/3 is 
> quite blurry due to the fact they control both the card and the 
> chipset. In this particular case, 2/3 are essentially the same (think 
> for manufacturers like Napatech or Tilera)
>
> Also, while Gen coding has become quite standard in the industry, you 
> might see it with a different name. For example, Silicom calls "side 
> driver" for Gen 3 cards
>
> As for open source bundles that cover bypass cards interaction I'm not 
> aware of any besides our redBorder project, but officially only 
> supports Silicom cards. If you want to talk about Interface Masters 
> support in redBorder, please email me directly off list
>
> Properly controlling when and how to enable the bypass is not hard, 
> but requires quite a bit of init script adaptation
>
> Hope it helps. Regards
>
>
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visithttp://blog.snort.org  to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!