DockOS is a Linux based virtual machine (VM) for Application Dock™ that provides full access to Linux VM and comes with support for Endace DAG, optimised capture libraries and a number of pre-installed example applications.
It is designed to support hosting for a wide range of custom, commercial and open-source applications - such as Bro IDS, SNORT, Suricata, Wireshark, Argus and Nagios to be hosted on the EndaceProbe.
DockOS comes as a standard VM image that can be deployed on all EndaceProbe™ Network Analytics Platforms,
There are a variety of I/O options that can be used by applications hosted in Application Dock, from VirtIO for maximum application compatibility to vDAG for accelerated performance. Which I/O option you choose will depend upon your need for high-speed performance and your ability to customize the application you are hosting.
VirtIO is a family of paravirtualized device drivers optimised for data transfer to and from virtual machines. Rather than emulating a specific legacy hardware device, VirtIO provides simplified and abstracted device models to improve compatibility and performance. EndaceProbe Application Dock supports VirtIO drivers. This simplifies application deployment by maximising Application Dock’s compatibility with pre-existing applications and VMs that you might wish to host in the Application Dock environment.
The VirtIO-net device can be used by Application Dock VM guests to provide network interfaces for management traffic, as well as for standard packet capture, without requiring the installation of proprietary drivers.
This makes it possible to host almost any application in Application Dock, ensuring compatibility with most packet-processing applications that can run on a Linux platform. EndaceProbe Datapipes can forward live captured traffic, or replay pre-recorded network traffic to hosted Application Dock VMs using VirtIO-net devices.
If accelerated IO performance is needed, the Endace vDAG device, also included in Dock OS, offers a high-speed IO option.
EndaceProbe vNIC virtual network devices can be presented to Dock VMs as emulated NICs, such as e1000, or para-virtualized VirtIO-Net devices. These virtual NICs can be used with any applications that require either raw NICs or Linux network interfaces.
The vNIC mode does not retain the original EndaceProbe ERF timestamps, instead the VM applies local software time stamps for each packet.
Examples include libpcap, AF_PACKET sockets, netlink/netfilter, and Linux kernel networking. This can be useful when running ‘shrink-wrapped’ appliance VMs where it is not possible to add device drivers or reconfigure software.
The libpcap library is a portable packet capture library supporting many platforms, and is widely used by network monitoring and security applications in order to access the raw network packets.
A DAG-enabled libpcap library is pre-installed, allowing libpcap based applications zero-copy access to network packets with full stack bypass. Both nanosecond and microsecond libpcap timestamps are supported.
Both the vDAG and vNIC modes support libpcap based applications.
For applications which dynamically link to libpcap or can be recompiled, the vDAG mode native libpcap provides the best performance. For applications which statically link to libpcap, or where recompilation is not possible, the vNIC mode provides excellent compatibility.
To optimize performance, virtual DAG drivers are pre-installed in DockOS, providing the same APIs as physical DAG cards. DockOS VMs can leverage zero-copy packet capture for high bandwidth applications.
The vDAG mode retains the original ERF time stamps from the EndaceProbe. These ERF time stamps can be converted to microsecond or nanosecond format by libpcap when needed
Applications can make use of the native DAG capture API and tools. A DAG native Snort DAQ module is provided for zero-copy IDS.
DockOS comes with a number of commonly-used applications pre-installed as well as some standard Endace applications. It also includes a DAG-enabled libpcap library that allows any libpcap-enabled application to be hosted in DockOS and take advantage of DAG's accelerated throughput.
SNORT® is an open source network intrusion prevention system and network intrusion detection system.
It performs a variety of protocol analysis including:
- Content searching and marching
- Detection of attacks and probes such as:
- Buffer overflow
- Stealth port scans
- CGI attacks
- SMB Probes
- OS Fingerprinting attempts
SNORT offers users community support, rule subscriptions and a knowledge base including deployment and set up guides, and whitepapers.
Suricata™ is a robust network threat detection engine. It’s capable of real time intrusion detection, inline intrusion prevention, network security monitoring and offline pcap processing.
Suricata works by inspecting network traffic using extensive rules and a signature language, which is reinforced by Lua scripting for detecting complex threats. It uses standard input and output formats, including YAML and JSON, and integrates with other tools such as:
- SIEMs e.g. Splunk
The Bro Network Security Monitor offers a different take on intrusion detection systems by also providing a comprehensive platform for general network traffic analysis.
Built on 15 years of research, Bro is relied upon by many scientific environments (its community includes: major universities, research labs, supercomputing centers and many large commercial enterprises) to secure network infrastructure.
Wireshark is a widely-used network protocol analyzer and shows you what’s happening on your network at a packet level. It’s the de facto standard across commercial, non-profit enterprises, government agencies and, educational institutions.
Trafstat is an Endace application that collects and analyses traffic statistics from an ERF file or directly from the vDAG card stream. Trafstat then creates a traffic profile that returns information about traffic flows in the data.
This information includes:
- Average bandwidth used
- Peak bandwidth
- TCP / UDP port numbers
- Number of concurrent flows
- Average flowrate
- Packet rate
Trafstat uses the 9-tuple of an IP packet extension header to generate a corresponding flow hash.
Trafstat can output into two different formats, depending on your requirements:
- stdout printed to your console.
- .csv files
Sysdump – Sanitizer
Sysdump – Sanitizer sanitizes the output of an EndaceProbe system dump and is useful for removing sensitive data from a Sysdump output before sending it to Endace Support for analysis.
It works by removing sensitive information tokens from the Sysdump file and replacing them with words chosen at random from the Linux dictionary file.
Sysdump – Sanitizer removes and replaces:
- The kernel version
- IPv4/IP6 address strings
- Endace OSm version number.