Months ago we have started to design a new PF_RING DAQ module for snort. We decided to do this project with ENEO Tecnologia who has both sponsored the development and helped us to implement all those tiny features that turned PF_RING DAQ from a simple DAQ adapter to a full fledged module. One of the decisions we made, was to make this new DAQ module able to operate on vanilla PF_RING and also DNA (so that everyone could benefit), and to support complex topologies. In non-DNA mode, we leveraged on PF_RING cluster to distribute the load across multiple snort instances, whereas on DNA we took advantage of symmetric RSS to distribute the load across multiple snort instances. As you will see when using it, basically the network is not the bottleneck anymore, as the processing speed is limited by snort speed and not by packet capture.
Beside getting the PF_RING DAQ module and using it on a generic distribution, ENEO decided to create redBorder IPS, a new Ruby on Rails based Open Source project around Snort. It provides the following capabilities in a centralized manner: event viewing, hierarchical management of multiple sensors, very powerful rule management, and SNMP monitoring. It is in the Sensor were we have been collaborating with ENEO Tecnologia to provide the following capabilities:
- Customized and hardened CentOS 6.2 system with all needed software packets.
- Latest Snort & pf_ring versions.
- IPS mode running on top of PF_RING with specific performance enhancements and capability to drop packets within pf_ring itself.
- New IDS Forwarding mode running on top of pf_ring reflecting the packets at kernel level and sending a copy to Snort
IDS mode running on top of clustered PF_RING.
In all cases, we have enhanced Snort’s DAQ to be able to analyze multiple segments from the same Snort instance and load balance between all available cores, thus granting better hardware usage. All of this is freely available for registered users at the redborder project website. The new PF_RING DAQ will be available in a few days with a new PF_RING release, and we are working with them to add support for DNA Libzero. Stay tuned.