[Bro] Possible Bro Cluster communication issue?

Gary Faulkner gary at doit.wisc.edu
Fri Nov 15 10:34:03 PST 2013

We're running RHEL 6.4 (2.6.32-358.6.2.el6.x86_64). We had our own 
fairly restrictive rule set on the hosts and simply didn't have the 
ports open as I didn't see them in the particular documentation I was 
referencing on the bro site. I knew from the documentation that bro 
needed to be able to SSH between hosts, but didn't know that 
(manager/proxy/worker) were also listening on specific ports or what 
they were.

As for the proxy crashing, I think the issue was simply running too many 
workers on the same host as the proxy and manager. I started my learning 
by running a single host with manager/proxy/workers and gradually 
ramping up the worker count, then added the second with just workers. So 
I suspect I just pushed it too far and needed to free up some system 
resources on that first host running the manager/proxy. Ideally I think 
I'd like to run the master and proxy on their own system (as others have 
suggested). For testing purposes I simply disabled the workers on that 
host, made sure the proxy didn't crash and then observed the behavior of 
the host firewalls to see if they were blocking anything. So mostly 
ignorance and misconfiguration on my part.


Gary Faulkner
UW Madison
Office of Campus Information Security

On 11/15/2013 8:24 AM, Daniel Thayer wrote:
> Which Linux distro (and which version) are you using?  And were
> you using the default FW settings?  Also, were you able to
> determine why the proxy was crashing?  If so, how did
> you resolve the problem?
> On 11/15/2013 02:05 AM, Gary Faulkner wrote:
>> Actually, it was the firewall, but I also had a secondary problem in
>> that the proxy was constantly crashing due a lack of system resources so
>> it didn't initially appear that disabling the firewall relieved the
>> communication problem. I didn't recall seeing any FW considerations
>> beyond ssh in the documentation, but I did eventually find an external
>> document at https://gist.github.com/grigorescu/3776670 and a quick
>> netstat allowed me to confirm the ports on my hosts. Thanks for the 
>> help!
>> On 11/14/2013 11:20 PM, Gary Faulkner wrote:
>>> Both hosts are running host based FWs, but disabling them doesn't 
>>> appear
>>> to make a difference in the behavior. I can ssh between hosts just fine
>>> as the bro user with key-based auth and broctl seems to open an ssh
>>> session per worker between the two hosts that appear stay established
>>> throughout just fine. Does all the communication happen over those ssh
>>> sessions or are there other types of connections happening between
>>> master/proxy and worker?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6257 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131115/a776b99b/attachment.bin 

More information about the Bro mailing list