[unisog] IDS related Question

Eric Pancer epancer at security.depaul.edu
Tue Aug 17 04:59:41 GMT 2004


Michael Holstein wrote on Mon, 2004-08-16 at 16:25:47 -0400...

> FreeBSD (SMP), two Gig-E cards, a passive tap (eg www.netoptics.com), 
> and Netgraph for bonding the cards together for FDX.

[ The following comments are FreeBSD specific. ]

We're using a Dag card from Endace <http://www.endace.com/> with a
NetOptics <http://www.netoptics.com/> regeneration tap.

The cards are rather pricey, but they will do link speed monitoring,
and dag interfaces have pcap support. On FreeBSD, we found the
following useful...

/etc/sysctl.conf

kern.maxproc=10240
kern.maxprocperuid=7680
kern.randompid=1391
kern.maxusers=128
kern.maxfiles=65536
kern.ipc.nmbclusters=32768
debug.bpf_bufsize=524288

If you want to bond the two cards into one logical interface, then
use the following sysctl variables.

net.link.ether.bridge_cfg=em0,em1
net.link.ether.bridge=1

However, we found that having seperate RX/TX interfaces allows you
to see specifically which direction packets are going across the
fiber. We use the commercial version of Argus from QoSient
<http://www.qosient.com/> called Gargoyle. However, if you're going
to be doing 200-300Mbps, Argus should do well. Also, snort has not
had problems yet, though we haven't seen our Gigabit link filled to
even 1/4 capacity yet (hopefully it will be in a few weeks!).

Some things to note: you might want to expand some limits in your
kernel depending on the amount of physical memory you have. This can
be achieved by modifying the following kernel entries.

options MAXDSIZ="(1536*1024*1024)"
options DFLDSIZ="(1536*1024*1024)"
options MAXSSIZ="(1536*1024*1024)"

Also, get rid of KTRACE from your kernel if you're looking at doing
high speed kernel instructions (KTRACE added a system call or two
that adds overhead). You can modify the BPF capture size in
net/bpf.h ....

#define BPF_MAXINSNS 512
#define BPF_MAXBUFSIZE 0x80000
#define BPF_MINBUFSIZE 32

However, make sure you know what you're doing here :)

That's about it for FreeBSD. We've got 2GB of RAM and lots of swap
space, and we offload most disk writes to another machine for argus
(using ra -nnS collector -w output.cap). Other than some bugs in
code here and there, everything is stable.

-- 
Eric Pancer :.: Computer Security Response Team :.: DePaul University
http://security.depaul.edu/ .:`:.:':.:`:. epancer at security.depaul.edu
pgp: 1024D/7ACBCFF3 C022 4991 41E5 51E7 683C F765 62F7 7F8E 7ACB CFF3




More information about the unisog mailing list