Educause Security Discussion mailing list archives
Re: bonded endace + snort
From: Jeff Murphy <jcmurphy () BUFFALO EDU>
Date: Fri, 29 Apr 2011 12:23:38 -0400
On Apr 29, 2011, at 11:58 AM, Mike Lococo wrote:
On 04/29/2011 11:18 AM, Jeff Murphy wrote:For those who would like to attach snort to multiple Endace cards, but found that you can't bond those cards together, a snort DAQ module was published today that performs pseudo-bonding for you: http://www.snort.org/snort-downloads/external-daq/It's not clear to me exactly what this is doing.
It does what ifenslave (bonding) does for commodity network cards.
Are these the conditions under which this daq module is helpful? 1) You have 2 or more Endace capture cards in a system. 2) You are not interested or are unable for some reason to run one (or more) snort-process(es) per capture-card in order to take advantage of multiple CPU's. 3) The aggregate traffic from all cards can be processed by a single-snort instance on a single cpu. 4) And so you wish you merge the output of the cards together and process the aggregate with a single snort-instance running on a single cpu, in order to simplify management.
... or you want to do stream reassembly
Most shops that I'm aware of with a traffic amount that can be handled with a single-CPU/single-snort-instance (less than about 300mbits/sec) run on commodity network cards instead of multiple dedicated capture-cards.
5) you are operating at multi-gigabit traffic levels
Cheers, Mike Lococo
Attachment:
smime.p7s
Description:
Current thread:
- bonded endace + snort Jeff Murphy (Apr 29)
- Re: bonded endace + snort Mike Lococo (Apr 29)
- Re: bonded endace + snort Jeff Murphy (Apr 29)
- Re: bonded endace + snort Mike Lococo (Apr 29)
- Re: bonded endace + snort jeff murphy (Apr 29)
- Re: bonded endace + snort Jeff Murphy (Apr 29)
- Re: bonded endace + snort Mike Lococo (Apr 29)