[Bro] newbie questions...

Russell Fulton r.fulton at auckland.ac.nz
Wed Aug 21 16:06:42 PDT 2013


First a minor nit:

I am setting up a new sensor with argus, suricata and bro.  I thought I had everything right and then broctl start would just hang with "starting manager…"

I eventually worked out that in reorganising directories after running out of disk I had managed to move the bro install files.  Re running the broctl install fixed things.  If it is straight forward for the script to check for the install files before trying to start the manager and give an informative error message that would be nice ;)

For the record I am running on a 16 core box running Ubuntu SPC and using the binary from SO (but not the SO config or scripts).

I have suricata set up to use cores 10-15 — is there a straight forward way to assign bro to particular cores or should I just use open slather for everything?

I have assumed that the SO version of bro will use pf_ring by default? or do I need to do something to get bro to use pf_ring?

Russell ( confession — it has only taken 4 years for implementing bro to get to the top of my todo list :(  )

