[Bro] newbie questions...

Seth Hall seth at icir.org
Wed Aug 21 16:36:25 PDT 2013

Hi Russell!

On Aug 21, 2013, at 7:06 PM, Russell Fulton <r.fulton at auckland.ac.nz> wrote:

> For the record I am running on a 16 core box running Ubuntu SPC and using the binary from SO (but not the SO config or scripts).

Why's that?

> I have suricata set up to use cores 10-15 — is there a straight forward way to assign bro to particular cores or should I just use open slather for everything?

In the 2.2 release that is coming soon there is a new config option for node.cfg where you can pin processes.  It will make your worker configs look like this…


I think that's a pretty straight forward configuration, but let me know if there isn't anything clear in it or if you have questions.  You will only need to configure a single worker like that to load balance traffic on that host with the configured interface.  broctl will create all of the worker processes it needs.

> I have assumed that the SO version of bro will use pf_ring by default? or do I need to do something to get bro to use pf_ring?

I put it in the config above, you just need to make sure you have all of the pf_ring bits installed.  I'm a little unsure how different what you're running is from securityonion so I'm not sure I can authoritatively answer your question.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130821/1bc87558/attachment.bin 

More information about the Bro mailing list