[Bro] Endace card native support for Bro
Donaldson, John
donaldson8 at llnl.gov
Thu Jul 23 08:31:59 PDT 2015
We¹re using DAG cards with Bro without a problem (albeit without direct
integration between Bro and the card¹s API). Once you set up your streams
on the card, you just have to set up Bro workers on dag0:0, dag0:2, etc.
v/r
John Donaldson
On 7/23/15, 8:07 AM, "bro-bounces at bro.org on behalf of Robin Sommer"
<bro-bounces at bro.org on behalf of robin at icir.org> wrote:
>It's not supported anymore. We used to have native support for Endace
>cards but it hadn't been maintained for a while and was thus removed.
>Thst said, it shouldn't be that hard to add it back now through an
>external plugin (plugins are in Bro 2.4). It would just take somebody
>familiar with the API.
>
>Robin
>
>On Thu, Jul 23, 2015 at 14:12 +0000, MILLER, BRAD L wrote:
>
>> Hello-
>>
>> I am making some new monitoring systems based mostly on Bro, and my
>>company has purchased 10G Endace cards to make things pretty awesome.
>>That said, I am finding some indications that Bro can support the Endace
>>card API directly if you compile with
>>³--with-DAG=/path/to/dagtool/installation² but this seemed to be
>>experimental long ago, and rumors circulated of it being dropped at some
>>point. I can¹t seem to find any indication in the official docs about
>>retained or dropped support native Endace card support. The official
>>changelog only cites the introduction of experimental support long ago.
>>
>> Can I have confirmation that this is still supported? Is stable? Is
>>going to be retained as far as anyone knows? I am using Bro 2.3.x on
>>RHEL x64.
>>
>>
>>
>> Brad Miller | Comerica Bank
>> Information Security Architecture
>> IT Security
>> Office: 248.371.4249 | Mobile: 920.378.8138
>>
>>
>>
>> Please be aware that if you reply directly to this particular message,
>>your reply may not be secure. Do not use email to send us communications
>>that contain unencrypted confidential information such as passwords,
>>account numbers or Social Security numbers. If you must provide this
>>type of information, please visit comerica.com to submit a secure form
>>using any of the ²Contact Us² forms. In addition, you should not send
>>via email any inquiry or request that may be time sensitive. The
>>information in this e-mail is confidential. It is intended for the
>>individual or entity to whom it is addressed. If you have received this
>>email in error, please destroy or delete the message and advise the
>>sender of the error by return email.
>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>--
>Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
>_______________________________________________
>Bro mailing list
>bro at bro-ids.org
>http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list