[Bro] Weird stuff in weird.log?
kim at blackcatsec.net
Sun Apr 21 04:15:38 PDT 2013
I was about to ask the list if splitting up interfaces / VLANs / snooping-points in different workers would fix it, but it seems you have done that and are still seeing the same weirdness.
May I ask what was your reason for having 3 workers and a proxy? I am still new to how to design and setup Bro with all the features it has...
Sent from my mobile device, excuse my clawfingerness!
Mobile N#: +358  40 702 7844
PGP S#: 0BFA A910 9AA7 94A5 A323 53F5 4151 4CE4 33BE 35FA
On 21 apr 2013, at 13:23, Peter Franzel <pfranzel at t-online.de> wrote:
> I am experiencing the same problem in the weired.log here as using one interface defined for the WAN and one for the LAN traffic (between there is a firewall and a loadbalancer with ssl-offload).
> I am using the following node configuration:
> [worker-1] --> WAN Connection
> [worker-2] --> LAN Connection
> [worker-3] --> dedicated line between two DCs
> Question: What I meaningfully should do to get rid of this:
> --> Running one bro cluster/instance for each interface?
> --> Or is there are way to do it by an other configuration change?
> Am 21.04.2013 11:05, schrieb Vern Paxson:
>>> I suspect that it is due to the fact that I am spanning
>>> multiple VLANs that Bro sees, with traffic both before and after
>>> loabalancers and NATs etc. so it kind-of sees the whole chain of packets
>>> from outside the firewall, before / after loadbalancer behind firewall
>>> and finally the traffic behind the loadbalancers/firewalls...would that
>>> in some way explain the weird.log stuff shown here?
>> That for sure would explain these sorts of "weird" messages, since they
>> all relate to Bro reporting that it's not seeing a single consistent
>> picture of (bidirectional) network flows.
>> Bro mailing list
>> bro at bro-ids.org
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro