Endace card native support for Bro

Zeek
1

Hello-

I am making some new monitoring systems based mostly on Bro, and my company has purchased 10G Endace cards to make things pretty awesome. That said, I am finding some indications that Bro can support the Endace card API directly if you compile with “–with-DAG=/path/to/dagtool/installation” but this seemed to be experimental long ago, and rumors circulated of it being dropped at some point. I can’t seem to find any indication in the official docs about retained or dropped support native Endace card support. The official changelog only cites the introduction of experimental support long ago.

Can I have confirmation that this is still supported? Is stable? Is going to be retained as far as anyone knows? I am using Bro 2.3.x on RHEL x64.

Brad Miller | Comerica Bank

Information Security Architecture

IT Security

Office: 248.371.4249 | Mobile: 920.378.8138

2

It's not supported anymore. We used to have native support for Endace
cards but it hadn't been maintained for a while and was thus removed.
Thst said, it shouldn't be that hard to add it back now through an
external plugin (plugins are in Bro 2.4). It would just take somebody
familiar with the API.

Robin

3

I'm using an Endace card with Bro right now. I'm doing it through
libpcap, not directly, though. I just compiled libpcap for the dag card,
then point bro to that libpcap.

aaron

4

We¹re using DAG cards with Bro without a problem (albeit without direct
integration between Bro and the card¹s API). Once you set up your streams
on the card, you just have to set up Bro workers on dag0:0, dag0:2, etc.

v/r

John Donaldson

On 7/23/15, 8:07 AM, "bro-bounces@bro.org on behalf of Robin Sommer"