Re: bonded endace + snort

[Mike Lococo <mike.lococo () NYU EDU>]

>       ...  or you want to do stream reassembly 

I think what you're saying here is that there is single-link which has
been subdivided somehow.  Either you have the incoming and outgoing
portions of a tap on separate ports, or it's been load-balanced in some
non-session-aware way.  And you're recombining the traffic so that snort
sees complete sessions instead of broken-up snippets of traffic.  Yes?

> > Most shops that I'm aware of with a traffic amount that can be handled
> > with a single-CPU/single-snort-instance (less than about 300mbits/sec)
> > run on commodity network cards instead of multiple dedicated capture-cards.
>
> 5)  you are operating at multi-gigabit traffic levels

You are successfully pushing multi-gigabits/second of traffic through a
single instance of snort running on a single-cpu without substantial
packet-loss?  Or am I misunderstanding?

Sorry to be dense.  I'm just genuinely interested in what the DAQ-module
does and having trouble following.  I have a multi-gig setup of my own
that does have multiple-ports that are split in a non-session aware way,
so the module sounds somewhat interesting.  I'm familiar with bonding,
with ids-load-balancing, with Endace hardware, and with snort.  I'm just
having trouble understanding where this DAQ module might fit into a
snort architecture.  I suspect others on-list may share my confusion.

Best Regards,
Mike Lococo