[Bro] Copying bpf buffers into multiple locations
jean-philippe.luiggi at didconcept.com
Sun Feb 24 16:58:59 PST 2008
On Sat, 23 Feb 2008 23:10:36 -0700
"Mcclelland-Bane, Randy" <rmcclel at sandia.gov> wrote:
> Has any work been done by the bro team (or others) on copying a
> single bpf stream into multiple locations with *BSD? ie - one stream
> of incoming packets from a NIC gets copied into several virtual
> locations instead of just your standard "em0" etc. kernel locations.
> I've been googling for a bit and can't find anything substantial.
> I've seen some products/vendors that do this on linux, but nothing
> for BSD.
> There used to be the FreeBSD 4.x patches out there for bro, but if I
> remember correctly those enabled bonding and didn't try to do any
> copying like I'm describing.
> With the advent of more and more processors in multicore silicon, it
> seems that the bpf buffers could be a bottleneck to
> multiprocess/thread or "multi-instance" designs. This could enable us
> to run more cpu intensive instances of bro on a second cpu while the
> first handles most of the routine traffic on a single machine without
> getting major packet loss.
> Bro mailing list
> bro at bro-ids.org
Perhaps "honeymole" will be a solution for you.
It's a tool from Honeynet-PT :
Here is a brief description :
Secure Ethernet Bridge over TCP/IP
The main goal of this tool is to act as a completely Secure Ethernet
Bridge over TCP/IP, tunneling in a transparent, safe and easy way,
network traffic to a remote location without the need of any kernel
patches or modules, or even the need to hide routing in the honeypots.
It can be used to easily deploy honeypot farms of distributed
honeypots, transporting network traffic to a central honeypot
architecture where data collection and analysis will be done. It can
also be used as a very simple and efficient VPN (Virtual Private
Network) for any other purposes.
Home this will help.
More information about the Bro