Adding an Endace card to Symantec’s DLP

I decided to publish this hack as I could not find an iota of information about getting an Endace card working With Symantec’s DLP (previously Vontu) on RedHat.

After you’ve installed the module for your Endace card, you recycle your sensor and are confronted with the following error message:

Endace DAG driver is not available
Packet Capture was unable to activate Endace device support. Please see PacketCapture.log for more information.

A look at /var/log/Vontu/debug/PacketCapture.log yields:

ERROR PacketDriverFactory - Driver Dag is unavailable: libdag.so.3: cannot open shared object file: No such file or directory [PacketDriverFactory.cpp(423)]

do an

updatedb
locate libdag.so

You will notice you just compiled a version more recent than libdag.so.3. As it turns out, Symantec DLP v11.0 does NOT know how to use the generic libdag.so nor the latest libdag.so.4.0.2 you just compiled. I’ve tried many tricks mostly with symlinks and I just couldn’t get it to use libdag.so.4.

Hold on to your pants as I explain the unholy hack that made it work:

edit /opt/Vontu/Protect/lib/native/libPacketDriverDag.so.11.0.0 , this is a binary file so using a hex editor is a good idea although vi works fine. Also, do respect placement very carefully, you will be changing 1 character and 1 character only.

search for libdag.so.3 and replace its 3 by a 4.

Recycle your server again and it should be happy about life 🙂

One Reply to “Adding an Endace card to Symantec’s DLP”

Leave a Reply

Your email address will not be published. Required fields are marked *