Re: bonded endace + snort

[Jeff Murphy <jcmurphy () BUFFALO EDU>]

On Apr 29, 2011, at 11:58 AM, Mike Lococo wrote:

> On 04/29/2011 11:18 AM, Jeff Murphy wrote:
> > For those who would like to attach snort to multiple Endace cards,
> > but found that you can't bond those cards together, a snort DAQ
> > module was published today that performs pseudo-bonding for you:
> >
> > http://www.snort.org/snort-downloads/external-daq/
>
> It's not clear to me exactly what this is doing.  

It does what ifenslave (bonding) does for commodity network cards.

> Are these the
> conditions under which this daq module is helpful?
>
> 1) You have 2 or more Endace capture cards in a system.
> 2) You are not interested or are unable for some reason to run one (or
>   more) snort-process(es) per capture-card in order to take advantage
>   of multiple CPU's.
> 3) The aggregate traffic from all cards can be processed by a
>   single-snort instance on a single cpu.
> 4) And so you wish you merge the output of the cards together and
>   process the aggregate with a single snort-instance running on
>   a single cpu, in order to simplify management.

        ...  or you want to do stream reassembly 

> Most shops that I'm aware of with a traffic amount that can be handled
> with a single-CPU/single-snort-instance (less than about 300mbits/sec)
> run on commodity network cards instead of multiple dedicated capture-cards.

5)  you are operating at multi-gigabit traffic levels


> Cheers,
> Mike Lococo

Attachment: smime.p7s
Description: