Re: halvar, record gigabit networking? IDS for forensics?

[Nick Selby <nick.selby () the451group com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

<snip>
Gadi Evron wrote:
> > http://www.packetstormsecurity.org/sniffers/tm-20061111-0.tar.gz
</snip>

This sounds like a poor-man's version of what Solera Networks is on
about - from a report we did (we're not paid by or involved with
Solera in any way and the report is based on their statements, not
testing - I'd love to hear opinions on what they say they do or how
we've written it ).

In a nutshell, Solera claims an average selling price of $50,000, says
it can suck down huge chunks of data in GB ethernet and blow them onto
a disk wicked fast, then serve as either platform for forensic apps
(it's running linux) or as a data source. For example, to feed IDS as
fast as IDS can suck it down, or rebroadcast data through a closed
network segment, or provide chunks as a pcap or other file to be
imported or mounted:


<excerpt>

"Solera's DS series of appliances are 3U rack-mountable Linux-based
appliances, running either *Red Hat* Enterprise Linux 4 or SuSE 10.
The DS uses standard *Intel* NICs, though Solera says it has written
its own drivers for them. Because the boxes are running Linux and the
Solera capture and write runs effectively as a Linux kernel module,
customers are able to both use the DS as a network buffer -
re-broadcasting network traffic once captured out to network segments
- - or, using virtual Ethernet adapters, host applications on its own
platform, which can interact with the data in any number of virtual
views.

"The product offers pre-capture filters - for example, not recording
SSH or SSL encrypted traffic - and playback filters on seven main
criteria: source IP, destination IP, MAC address, VLN, port number,
protocol and time window. Other filters are available as well, but the
main idea is to be able to feed various 'views' into various
applications simultaneously - allowing analysts with, for example,
Wireshark (Ethereal) to say, 'Show me all packets from a certain time
domain, from this IP to that IP in this protocol.'

"Solera's DS appliance may be used as a platform on which Linux
applications are run. For example, Snort can be installed as an
application on the DS, then configured to take network traffic from a
virtual Ethernet adapter. The DS can be configured to feed Snort as
fast as Snort can take data. Additionally, Solera says that customer
*Brigham Young University* has developed an application that takes
traffic beginning some seconds before, and ending some seconds after,
a Snort-flagged incident - packaging the traffic segment up and
forwarding it to an analyst to determine whether it's a false
positive. The DS can provide other views to applications, such as pcap
files or virtual file systems, which can be 'mounted.' Traffic can
also be replayed to a network segment, for examination by applications.

"The boxes monitor traffic from a SPAN port as a passive collector,
and the company claims to capture at a sustained traffic rate of up to
550MB/sec from Gigabit Ethernet. Solera says it uses an off-the-shelf
disk controller from *3Ware*, but wrote its own file system, which
allows the DS to write to disk very quickly, using very long sector
runs in 'slots' of 67MB at a time, providing an 840MB/sec
stream-to-disk throughput on its disk channel. The appliances have
800GB to 6.4TB of onboard storage. Solera says that using a fiber
channel switch, its appliances can be stacked up in groups of 20,
providing more than 128TB of storage capacity. Because of its claimed
very fast read/write rates, Solera says there are no disk-based
bottlenecks."

Competition:
*Network General*. Solera says that if the Network General approach -
its own bottom-up approach with its own stack - is the sort of thing
you like, then you'll like that sort of thing. The other main
competitor is *Niksun*. Several other vendors offer competitive and
competitive-sounding products:  *Endace Measurement Systems*, the
publicly traded New Zealand-based vendor of packet capture cards, a
firm we have just met and hope to brief with soon. Solera claims that
its methods are faster - since we're not a testing organization, we
have no way to judge the veracity of claims like this, but we will
bring it up to Endace and report its response in the future. Other
competitors include *Network Instruments*, *WildPackets*, *Fluke
Networks* and *ClearSight Networks*.

</excerpt>


Comments?




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFFXgY31x+5mkiqtFgRAqLbAJ4+ZXsxn+IWRkNrkBHzIZJwSWRk/gCgjmEK
AFHAsdJ0OFpdq+HQ/GQFktw=
=AWN7
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave