[Bro] Broctl pf_ring_DNA support / Bro at 100G

Gary Faulkner gary at doit.wisc.edu
Wed Oct 30 09:43:52 PDT 2013


We recently lit up a 100G link and are attempting to tackle migrating 
our IDS and monitoring infrastructure from 10G to 100G capabilities. We 
have an existing set of servers that we are are using to evaluate SNORT, 
Suricata and Bro on with a 100G Gigamon upstream. For purposes of a Bro 
proof of concept I have two of the following Dell 720s to start from:

Dell 720XD
64 G RAM (1600 MHz RDIMMS)
30TB (usable) RAID 6 7.2K RPM SAS 6Gbps
2 146GB 15K RPM SAS 6Gbps
2 Intel Xeon E5-2670 2.60GHz, 20M Cache, 8.0GT/s QPI, Turbo, 8C
3 Intel X520 DP 10Gb DA/SFP+

I'm starting from build 2.2-beta-114 and looking at using it and PF_RING 
with the DNA drivers for the Intel cards for now as some of the other 
popular cards are "complicated" for us to get approval to purchase. I 
haven't found much info on running Bro this way other than issue ID 845 
<https://bro-tracker.atlassian.net/browse/BIT-845> and even that only 
suggests that there is a Bro Control plugin in the works for this, but 
that it may not be fully tested yet. Has anyone tried the plugin yet or 
have any experience configuring Bro and PF_RING/DNA to work together?


Gary Faulkner
UW Madison
Office of Campus Information Security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131030/65337af4/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6257 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131030/65337af4/attachment.bin 

More information about the Bro mailing list