[Bro] A few questions

Justin Azoff JAzoff at uamail.albany.edu
Tue Feb 2 05:44:14 PST 2010


On Mon, Feb 01, 2010 at 02:53:05PM -0500, Powell, Scott wrote:
> Good afternoon. I am still relatively new to Bro and working on building a
> cluster here at MUSC. In the process of setting up and configuring the IDS I
> have run into some issues and would like to ask the list a few questions.
> 
> 
> 1)      Is Linux even a reliable platform to think about using for Bro? Based
> on my experience the logs seem to be missing traffic. I have been making
> connections in and out of our network that pass through our network TAP and
> Bro does not always log them. Upon further investigation it appears that
> packets are being dropped (based on broctl netstats worker-1). I attempted to
> use pf_ring and compile Bro with libpcap-1.0.0-ring. This seemed to help some
> but not a lot.

Try the following in /etc/sysctl.conf

net.core.rmem_max = 33554432
net.core.netdev_max_backlog = 10000
net.core.rmem_default = 33554432

What output do you get from capstats?

How much CPU is your bro process using?  As long as it isn't maxing out a cpu
core, it shouldn't be dropping packets.  If it is maxing out the cpu, then the
problem isn't with capturing, it is with doing too much analysis.  If you have
an ethernet card that uses the igb driver you can try the pf_ring tn_api stuff:

http://www.ntop.org/TNAPI.html

you can use it to run a single node bro cluster with each worker capturing from
eth0 at 0,eth0 at 1,eth0 at 2,eth0 at 3

> 2)      In regards to question #1, am I interpreting the output of broctl
> netstats correctly? Specifically if my dropped number is higher than my recvd
> number then that means Bro is processing < 50% of my network traffic?

What version of bro are you running?  in 1.4.x the pcap stats for dropped
packets were recorded incorrectly on linux.  I see some ammount of dropped
packets, but usually less than 1 percent.

> 3)      In the "diag" output I see that the workers are reporting "pcap
> bufsize = 8192". Is this tunable on Linux? Are there any other suggestions
> for Linux tuning to decrease the amount of dropped packets?
> 
> 
> 
> 4)      Is anyone else running a reliable, stable Bro cluster on Linux?

I've been running bro on linux for years now...

> We are using RedHat Enterprise Linux 5.4, 64-bit.

Debian 64bit :-)

-- 
-- Justin Azoff
-- Security & Network Performance Analyst



More information about the Bro mailing list