[Bro] A few questions

Powell, Scott powellsm at musc.edu
Tue Feb 2 10:53:06 PST 2010


I wondered if I needed some sort of distributor/load balancer external to the workers but wasn't sure based on the documentation.

Currently our network TAPs (external, DMZ, internal, etc.) go to single NICs on different machines. We have been using these for years to capture Netflow data with Argus as well as running Snort on some of them. We do not distribute a single TAP across different interfaces or servers.

Given our current setup, how would I go about these BPF tricks to leverage multiple cores on a single machine? It is starting to sound like I would want to go about running Bro standalone installations on the TAPs I would be interested in monitoring but the amount of traffic is too high to turn on all of the out of the box analyzers, unless I can take advantage of multiple cores.


-----Original Message-----
From: Robin Sommer [mailto:robin at icir.org] 
Sent: Tuesday, February 02, 2010 11:25 AM
To: Powell, Scott
Cc: Justin Azoff; bro at ICSI.Berkeley.EDU
Subject: Re: [Bro] A few questions

On Tue, Feb 02, 2010 at 10:56 -0500, Powell, Scott wrote:

> My concern is these machines have 2 x AMD Opteron Quad Core 2.1 GHz
> processors and yet Bro cannot keep up with the out of the box policy
> configuration. Also, it seems all of my analysis is being done on
> one core of the worker with the TAP. Why isn't the analysis being
> spread across the other workers? They seem to be sitting idle.

I'm not sure I have fully understood how you set things up, but you
need some external way of distributing the traffic across the
workers. If the workers are running on separate PCs, that's
typically some form of load-balancing frontend device. If they all
run on the same box (in order to leverage multiple core), you can
try some BPF tricks. 


Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org 
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org

More information about the Bro mailing list