dear,
since i could not find it documented as such a question on deploying rocknsm in-line (non-blocking).
With in-line i mean it listens to traffic using multiple span ports. On the rock instance deployed as a first experience, test there are 6 to 8 subnets to be monitored which for now it does quite well. But it is not in-line.
Is rock suitable to handle this kind of deployment ?
Br,
Joris
Hello Joris,
From an architectural perspective, in-line and listening to multiple span ports are different.
That said, the answer is yes; ROCK can receive multiple network feeds. This can be done through aggregation or multiple capture interfaces (or even multiple sensor components (Zeek, Suricata, Stenographer, Kafka, etc.) all feeding into a shared Elastic Stack - known as “multi-node deployment”).
Hey Andy,
Thanks. I do mean in-line, it has to be that rocknsm observes all traffic on the external to internal and internal to internal networks. This on both bridges and physical interfaces.
I have two setups running now. One as a POC in a VM clusters with 6 to 8 interfaces and one in a LAB environement with just two phyiscal interfaces but also a bunch of virtual network interfaces (tapXXX, vmbrX etc)
I’m learning as i go along but i prefer rocknsm over onion any time at this point. I hope to be able to contribute where i can in the future.
Best Regards,
Joris