Endace DAG not recognized
157 views
Skip to first unread message
Pancakes
Jun 28, 2018, 7:58:22 PM6/28/18
to security-onion
Hi all,
I have a 16 sensor system with an Endace DAG 5.x capture card installed. With the card drivers installed and dumpcap/tcpdump working on dag0, the card does not show up in ifconfig in any distro of Linux I’ve tried (by design). It’s path is /dev/dag and so forth. Problem is, this means SO installation doesn’t see it as a viable monitoring interface. I can’t get a manual configuration to work, either. Has anyone gotten one of these cards working?
I have a 16 sensor system with an Endace DAG 5.x capture card installed. With the card drivers installed and dumpcap/tcpdump working on dag0, the card does not show up in ifconfig in any distro of Linux I’ve tried (by design). It’s path is /dev/dag and so forth. Problem is, this means SO installation doesn’t see it as a viable monitoring interface. I can’t get a manual configuration to work, either. Has anyone gotten one of these cards working?
James Dickenson
Jun 29, 2018, 6:35:59 AM6/29/18
to securit...@googlegroups.com
So part of the problem is that support and implementation for the endace DAG is gonna vary depending on what piece of SO your talking about... I think your on the right track w/ libpcap compiled with DAG support.... Snort and/or Suricata will need to be compiled against that same target libpcap if they aren't already. And there is this plugin for Bro here... https://github.com/endace/bro-dag. I would be interested to see if anyone has figured it out. I have an endace DAG in a lab environment that I could spin up on a SO on and look at what it might take.
-james
On Thu, Jun 28, 2018 at 4:43 PM, Pancakes <lcar...@dragos.com> wrote:
Hi all,
I have a 16 sensor system with an Endace DAG 5.x capture card installed. With the card drivers installed and dumpcap/tcpdump working on dag0, the card does not show up in ifconfig in any distro of Linux I’ve tried (by design). It’s path is /dev/dag and so forth. Problem is, this means SO installation doesn’t see it as a viable monitoring interface. I can’t get a manual configuration to work, either. Has anyone gotten one of these cards working?
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Doug Burks
Jun 29, 2018, 8:50:22 AM6/29/18
to securit...@googlegroups.com
Hi Pancakes,
First, please note that I don't have any experience with Endace cards. Most of our users use standard non-accelerated Ethernet adapters and most folks report good results with Intel cards:
I know that's not what you want to hear, so let's discuss Endace cards a little more :)
It sounds like James is correct that you could recompile Snort/Suricata against the Endace libraries and add the Bro plugin. However, I'm not sure netsniff-ng could be made to work as it does not use libpcap. So you wouldn't have full packet capture unless you reconfigured our scripts to use Suricata to write full packet capture. At that point, recompiling binaries and rewriting scripts would be significantly re-engineering Security Onion and I'm not sure that's the best solution.
Here's another potential idea, although it's a pretty ugly hack and I don't know if it would even work. If Snort can be compiled against the Endace libraries, then in theory you should be able to compile daemonlogger against the Endace libraries as well, since daemonlogger is essentially Snort without the IDS code. Daemonlogger can act as a "soft tap", collecting traffic from one interface and then forwarding to another. So if you could compile daemonlogger against the Endace libraries, configure it to consume traffic from the Endace card and forward that traffic to a standard ethernet interface, then our standard Snort/Suricata/Bro/netsniff-ng stack might be able to take it from there. Again, I must emphasize that this is a quick and dirty hack and I have no idea if it would actually work.
Please let us know if you have further questions.
Thanks!
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Doug Burks
CEO
Security Onion Solutions, LLC
CEO
Security Onion Solutions, LLC
Reply all
Reply to author
Forward
0 new messages