[Snort-users] FW: Afpacket daq-2.0.1 snort

Jaime Nebrera jnebrera at ...16842...
Wed Jul 2 15:40:16 EDT 2014


Inline

El 02/07/2014 20:37, "Anshuman Anil Deshmukh" <anshuman at ...16510...>
escribió:
>
> The vendor said that it can be done using these two different ways.
>
> 1. They have their API to control the NIC (niagara_util -k).

This doesn't tell me much besides probably being Gen 2/3 As to what you
mean by control is just to configure, then doesn't mean anything

To control I mean trigger bypass mode from software

>
> 2. Call the system functions themselves. The source code is with the
driver. They have examples under user_api/examples/module_kick.c under the
drivers they have provided.
>
>
>
> The vendor have specifically recommended using the 'kick' option. They
said that whenever the snort application fails, the 'kick' can be
configured to stop sending heartbeats by which the NIC will go to bypass
because of the missed heartbeat.

This sounds a lot as a Gen 1 card as the bypass is essentially hardware
controlled (power or watchdog)

This is not good. In general terms a watchdog is not triggered by first
miss, but by a sequence of them (say 3 missed ticks in 5 seconds) Thus the
activation is going to be slow, quite slow. If you make watchdog more
sensitive is going to be prone to false positives

> Looking at the solution that vendor has provided, please let me know
under which Gen exactly would my NIC come.

Without looking into the code and without real contact with the hardware I
wouldn't put my hand in the fire, but based on the "they suggest to do it
through watchdog " I would think is a Gen 1 card

Also please comment on the solution if it would be appropriate to use for
an inline IPS solution OR you have any other recommendations.

For any new project, a Gen 3 card would be a must. Gen 1 is just crap, and
Gen 2 is problematic to maintain

Of course, in some manufacturers the difference between Gen 2/3 is quite
blurry due to the fact they control both the card and the chipset. In this
particular case, 2/3 are essentially the same (think for manufacturers like
Napatech or Tilera)

Also, while Gen coding has become quite standard in the industry, you might
see it with a different name. For example, Silicom calls "side driver" for
Gen 3 cards

As for open source bundles that cover bypass cards interaction I'm not
aware of any besides our redBorder project, but officially only supports
Silicom cards. If you want to talk about Interface Masters support in
redBorder, please email me directly off list

Properly controlling when and how to enable the bypass is not hard, but
requires quite a bit of init script adaptation

Hope it helps. Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140702/5b163f3d/attachment.html>


More information about the Snort-users mailing list