Accelerate SNORT®

Are your sensors CPU hogs?
As Ethernet segment speeds increase, so does the throughput demands on your Snort sensors. Maintaining the commercial off-the-shelf (COTS) nature and the inherent power of Snort, while meeting the increased burden of 1GbE and 10GbE interfaces, has proved difficult. CPUs struggle – and eventually fail - to keep up with the burden of processing streams and searching for broad, comprehensive, rule matches, with potentially catastrophic results. NinjaBox-Z, from Endace, solves this fundamental problem, while maintaining the open source character of the world’s most prevalent intrusion detection system. For instance, classic server platforms ‘busy’ the CPU with mundane tasks, such as copying data from one memory location to another. Solutions like PF_RING, however, are not the answer when running Snort.
learn more

Is your core wallowing in interrupts?
Standard network interface cards (NICs) rely on interrupt requests (IRQs) to haphazardly pull traffic from the target segment to the host system’s memory in preparation for the data to be processed by Snort. As the NIC sends an IRQ every time a packet is to be sent, the processing core of a CPU quickly becomes burdened with this chore, leaving few cycles for the all-important task of actually searching for vulnerabilities and potential attacks deep within the transport streams. Where alternative techniques such as NAPI have shown to be both ineffective and inefficient, the Data Acquisition Generation (DAG) of cards and drivers from Endace has been proven, for nearly a decade, to increase high-speed data processing efficiencies.
learn more

Does your NIC make a pigsty of your preprocessing?
Even before rulesets are applied, Snort’s preprocessing function must see all packets - not only for pre-rule stream reassembly purposes, but to also provide a line-of-defense against both protocol anomalies and vulnerability probes, such as port scanners. Featuring technology, exclusive to the NinjaBox-Z, Endace delivers an open IDS acceleration environment specifically targeted at gigabit and multi-gigibit Ethernet segments. Leveraging a combination of data hash load balancing, filtering, inverse multiplexing, DMA, large circular FIFO buffers and application memory mapping (MMAP) techniques within a multi-core CPU environment, single-threaded network monitoring applications, such as Snort, can perform optimally - even on 10GbE segments – with full preprocessing capabilities and a complete ruleset.
learn more

Ensure your biggest vulnerability is not your server.
Poor performing and unmanageable Snort IDS sensors on critical, high-speed, segments can render useless all efforts to protect a network from undesirable traffic or outside attacks. Traffic indiscriminately dropped by a monitoring element cannot be interrogated by a preprocessor or rules matching engine, leaving a network vulnerable. Likewise, data filtered or dropped in an effort to increase performance might also inadvertently leave malicious content to harm the network infrastructure. While proprietary hardware-based solutions are often touted to accelerate Snort, they often come at a price - both literally and figuratively - limiting the powerful pre-processing capabilities of Snort and dramatically reducing the number and range of signatures which are applied to incoming traffic.
learn more

Snort® IDS: Accelerated with NinjaBox-Z.
NinjaBox-Z combines off-the-shelf flexibility and price-points with unequalled performance and manageability. Endace delivers an open platform which provides the same IDS environment as any standard computing platform, but with dramatic and scalable acceleration capabilities. Users load and configure Snort (or any other application/s) how and when they choose. NinjaBox-Z simply provides the power to see all – even on the most congested high-speed segments.
learn more

GUI management and provisioning: Not to be sniffed at.
Through Endace, the full power of Snort can be now be realised. Our Applied Watch portfolio of products removes the complexitity of managing from one to over one hundred thousand Snort sensors – along with other open source security software applications and services, such as Barnyard, LaBrea Tarpit, ClamAV, Nessus, Nagios and OSSEC HIDS. With Applied Watch agents deployed on each sensor, the command center server and a client dashboard, security managers can forget complex command line interface (CLI) configuration and management of each individual Snort deployment.
learn more

Uncompromised IDS. Unrivaled performance. Ultimately Endace.
To deliver a premium commercial off-the-shelf IDS without jeopardizing performance and compromising security, your high-speed sensor solution is clearly, and ultimately, Endace.
learn more