Over the past few months we have spent quite some time to accelerate popular open-source IDS/IPS with PF_RING ZC. The result is that you now have the option to select your favourite security product as we support all, at no cost, using PF_RING ZC in both IDS and IPS mode. From our benchmarks we have seen that the acceleration with respect to vanilla Linux AF_PACKET is good even using standard (non ZC) PF_RING. We will provide some test results in the near future, but in the meantime we invite you to test it yourself.
- Snort
The code for the PF_RING ZC-aware DAQ module can be found in the PF_RING SVN repository or part of our binary PF_RING packages. - Suricata
We have contributed to the PF_RING support in Suricata and the current code includes our patches: the next stable release will include them. We have revamped PF_RING support updating the existing code adding:- Support for IPS/TAP (IDS was already supported since day 1).
- Support of peering interfaces including sending traffic to it.
In essence you can now use Suricata in both IDS and IPS mode at high speed.
- BRO
Since the release 2.3, BRO includes native PF_RING ZC support and many companies (including Facebook) are using it already: you can be the next one!
It’s now time to update your favourite IDS/IPS with PF_RING ZC!