I am experimenting with several OpenSource IDS on Linux.
My concern is load balancing across mmap-ed packet rings.
Some of them have AF_PACKET socket load balancing (Suricata) while others don’t, and rely on PF_RING (Bro).
When I say load balancing I mean PACKET_FANOUT sock option.
The following setup looks like a silver bullet for me:
You compile them (the IDS) with the latest version of pcap, and use pcap filters to achieve load balancing.
Am I missing something?