[Oisf-users] [Emerging-Sigs] OT - planning hardware purchase for IDS...
Eoin Miller
eoin.miller at trojanedbinaries.com
Wed Mar 24 17:35:05 UTC 2010
On 3/23/2010 11:46 PM, Will Metcalf wrote:
>
>> Also do folk have favourite NICs (1GB and 10GB) We can't afford Endace although we do have some research boxes with Endace cards...
>>
> I have always had really good luck with Intel, and I can vouch for the
> e1000e PF_RING aware driver. I think Luca also recently added DNA
> support for some Intel cards in PF_RING.
>
> Regards,
>
> Will
>
Yea, he did the DNA stuff which rocks and also the TNAPI driver which
uses the various RX queues built into standard $130 NIC's to let you
split the traffic out into various streams and run multiple instances of
Snort on different cores attached to the various RX queues. It kept
crashing when I tried it out a year ago, but maybe it is more stable now.
If you are in the market for Endace cards, check out Napatech as well.
Better capabilities (32 stream capable), very easy to configure (no
stinkin XML conf files) and about the same amount of cash. Once you are
trying to monitor some 10G stuff though, you are going to need something
to split that traffic up and probably a few more processors than you are
going to fit in a 1U box.
-- Eoin
More information about the Oisf-users
mailing list