External DAQ Modules
Have you ever wanted to maintain your own DAQ module outside of the official LibDAQ distribution? Concerned about the official release cycle in relation to your own development? Tired of keeping a source patch for the official distribution up-to-date?
External DAQ Module examples
These two tarballs are to demonstrate the suggested process for externalizing the DAQ module build process.
Example-daq-module-0.1.tar.gz is a bare bones example DAQ module and the autotools to support it.
The basic steps involved in taking example-daq-module and making it your own are:
- Unpack example-daq-module-0.1.tar.gz
- Rename daqexample.c to daq
- Implement all of the function stubs in the C file
- Update configure.ac and Makefile.am to reflect your name change (%s/example/
- Add any additional autoconf-foo you want to configure.ac (arguments, header checks, library checks, etc)
- Regenerate the autoconf files with ‘autoreconf -ivf’
- Configure, make, and make install!
The only caveat with this process is that you cannot include your DAQ module with the static DAQ modules when building externally. This should not be an issue for the majority of users.
PFRING External DAQ
Made popular by Luca Deri, Sourcefire’s Michael Altizer ported Luca’s PFRING DAQ Module to the above framework.
Napatech External DAQ
To build this requires the Napatech ntcommoninterface library, which is bundled with the purchase of each adapter. This is NOT a Sourcefire used or produced product, and support questions should be directed to email@example.com. PCAP Express adapters are just branded Napatech OEM adapters sold by nPulse Technologies to end-users.
PCAPRR External DAQ
PCAPRR can be used to read from multiple network interfaces in cases where those interfaces can not be bonded together (e.g. when using Endace cards). To build this requires libpcap library. This is NOT a Sourcefire used or produced module, and support questions should be directed to firstname.lastname@example.org
DAQ PCAP Spooler
This DAQ module is simple in it self. Its goal is to read PCAP file in spooled mode. For Snort people its like barnyard(X) for Snort.
This DAQ module monitor a directory for specific prefixed pcap file and as they grow, new packets are sent to Snort for analysis without loosing detection context.
The module also has the ability to archive processed pcap file to a defined directory.
The module create a PSRF (PCAP SPOOLER REFERENCE FILE) think waldo file (for barnyard(x) folks), that will allow Snort to resume its processing on halt.
This is NOT a Sourcefire used or produced module, and support questions should be directed to email@example.com
Endace External DAQ
This DAQ module allows Snort to read packets directly from an Endace DAG card. To build this module requires the Endace SDK which is bundled with the purchase of a DAG card.
This is NOT a Sourcefire used or produced module and support questions should be directed to https://github.com/SgtMalicious/Endace-DAQ-Module/issues.