Video Screencast Help
Security Community Blog

Configuring a detection server for an Endace card

Created: 21 Nov 2010 • Updated: 21 Nov 2010 • 3 comments
jjesse's picture
+2 2 Votes
Login to vote

After installing DLP as a Network Detection server there are additional configuration options that must be done both on the detection server and within the Enforce UI.

Installing the Endace card on the detection server

The first problem to be aware of is to make sure the Endace drivers and software is installed in a folder that has no spaces, c:\endace instead of the default: c:\program files\endace

From the Enforce server copy the dagextraconfig.bat from c:\vontu\protect\bin to c:\endace\dag-3.3.1\bin. Do not worry that this bat file is commented out, an error will be generated if this file is missing

Change the boot.ini to enable the /3GB switch

If you are running Windows Server 32-bit on the detection side the 3GB switch needs to be enabled in the boot.ini file. The following steps need to be done:

  • Change the attributes on the file from the command type: attrib.exe –s –h –r c:\boot.ini
  • Open the boot.ini in notepad
  • Copy the line that reads like: multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003, Enterprise" /fastdetect /noexecute=alwaysoff
  • At the end of the line add /3GB /userva=3030 so it will look like this: multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003, Enterprise" /fastdetect /noexecute=alwaysoff /3GB /userva=3030
  • Restart the detection server

Once the span port is connected to the Endace card traffic can be verified by opening a command line, navigating to the c:\Endace\dag-3.3.1\bin directory and type: dagsnap –d0 –v –o tracefile, traffic should be displayed in the window.

Changing settings on the Enforce UI

The following settings need to be changed within the Enforce UI in order for Network Monitor to work correctly with an Endace card.

In the UI for Enforce navigate to System -> Overview and then select the correct detection server. Click on the Server Settings button and make changes to the following items::

  • PacketCapture.IS_ENDACE_ENABLED from false to true
  • PacketCapture.ENDACE_BIN_PATH to the location you installed the software to (c:\endace\dag-3.3.2\bin)
  • PacketCapture.ENDACE_LIB_PATH to the location you installed the software to (c:\endace\dag-3.3.2\lib)
  • PacketCapture.ENDACE_XILINX_PATH to the location you installed the software to (c:\endace\dag-3.3.2\xilinx)

After making the above changes, restart the Vontu services on each detection server using an Endace card. Once the services are back from restarting, select Configure, dag0 should be then select the Endace card

Comments 3 CommentsJump to latest comment

xlloyd's picture

I know I'm going to need this page in the future. This looks REALLY helpful

*bookmarked*

Thanks for the share bro =]

If this post has helped you, please vote up or mark as solution
+1
Login to vote
jjesse's picture

Trying to come up w/ content people would find useful.  Let me know if there are more articles or information you are looking for on DLP :)

Jonathan Jesse Practice Principal ITS Partners

+1
Login to vote
xlloyd's picture

Will do ;]

Actually...I've been working on the Endpoint Prevent module for some time now and been doing a lot of reading. I think I'm pretty proficient with it but there's one thing that I really have no clue about. You know when you go to System -> Servers -> EndpointServer...there is a tab called "Server Settings". I have no clue about what those variables do. I found a table in the DLP documentation explaining the "Endpoint Settings" tab but couldn't find anything for the other one.

It would be unfair to ask you to document all of the purposes and parameters of each of those options but I guess it would qualify as information I'm looking for on DLP =P

I highly doubt I'd ever modify any of those stuff...but just for knowing's sake...it'd be good.

If this post has helped you, please vote up or mark as solution
+3
Login to vote