[Bro] A few questions
powellsm at musc.edu
Tue Feb 2 12:40:28 PST 2010
Robin et al,
OK, a little more info. It appears that the analyzers that are killing the CPU are the HTTP ones. I do not won't to disable these because they log very useful information. However, I cannot seem to keep up on one core. I either need a way to process the analysis on multiple cores or I need a frontend to distribute the load to multiple nodes. I do not have a hardware frontend solution so I would be interested in software solutions such as click. I saw it mentioned on the Wiki and in Workshop slides but are there example configs somewhere?
From: Powell, Scott
Sent: Tuesday, February 02, 2010 1:53 PM
To: 'Robin Sommer'
Cc: bro at ICSI.Berkeley.EDU
Subject: RE: [Bro] A few questions
I wondered if I needed some sort of distributor/load balancer external to the workers but wasn't sure based on the documentation.
Currently our network TAPs (external, DMZ, internal, etc.) go to single NICs on different machines. We have been using these for years to capture Netflow data with Argus as well as running Snort on some of them. We do not distribute a single TAP across different interfaces or servers.
Given our current setup, how would I go about these BPF tricks to leverage multiple cores on a single machine? It is starting to sound like I would want to go about running Bro standalone installations on the TAPs I would be interested in monitoring but the amount of traffic is too high to turn on all of the out of the box analyzers, unless I can take advantage of multiple cores.
From: Robin Sommer [mailto:robin at icir.org]
Sent: Tuesday, February 02, 2010 11:25 AM
To: Powell, Scott
Cc: Justin Azoff; bro at ICSI.Berkeley.EDU
Subject: Re: [Bro] A few questions
On Tue, Feb 02, 2010 at 10:56 -0500, Powell, Scott wrote:
> My concern is these machines have 2 x AMD Opteron Quad Core 2.1 GHz
> processors and yet Bro cannot keep up with the out of the box policy
> configuration. Also, it seems all of my analysis is being done on
> one core of the worker with the TAP. Why isn't the analysis being
> spread across the other workers? They seem to be sitting idle.
I'm not sure I have fully understood how you set things up, but you
need some external way of distributing the traffic across the
workers. If the workers are running on separate PCs, that's
typically some form of load-balancing frontend device. If they all
run on the same box (in order to leverage multiple core), you can
try some BPF tricks.
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro