[Bro] First time Bro Cluster Spin up
donaldson8 at llnl.gov
Mon Nov 17 12:14:44 PST 2014
Do you have any other processes listening to those streams? Only one process can attach to each stream, and we usually see those types of errors when a Bro worker tries to attach to a stream that is already in use. This also happens if a process doesn't cleanly release the stream, and, in our experience, requires a full reboot to clear.
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Dawson,Scottie
Sent: Monday, November 17, 2014 12:05 PM
To: bro at bro-ids.org
Subject: [Bro] First time Bro Cluster Spin up
I am attempting to get a Bro cluster working and I get the following error for all my workers, (full output of diag below). "fatal error: /usr/local/bro/bin/bro: problem with interface dag0:42 - pcap_open_live: dag0:42: dag_open /dev/dag0: Permission denied"
Thoughts on what I am missing?
I have an Endace DAG8.1SX set up to run with 22 streams.
1 Server set up to have 22 instances of BRO workers on it
1 server set up as the manager and prox
bro version 2.3.1
1. I have run the following command on both the worker and the manager/proxy servers.
sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bro/bin/bro
2. I can launch bro manually on the worker if I use sudo
acns-bro at endace:/usr/local/bro/bin$ sudo ./bro -i dag0:42
listening on dag0:42, capture length 8192 bytes
^C1416254260.140036 received termination signal
1416254260.140036 209 packets received on interface dag0:42, 0 dropped
3. Manipulated the user launching bro (acns-bro) group permissions to be in the adm group
FULL OUTPUT of DIAG:
BroControl] > diag worker-21
==== No reporter.log
[dag_open] dag_clone dagfd for dagiom: Permission denied
fatal error: /usr/local/bro/bin/bro: problem with interface dag0:42 - pcap_open_live: dag0:42: dag_open /dev/dag0: Permission denied
max memory size (kbytes, -m) unlimited
data seg size (kbytes, -d) unlimited
virtual memory (kbytes, -v) unlimited
core file size (blocks, -c) unlimited
-i dag0:42 -U .status -p broctl -p broctl-live -p local -p worker-21 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
==== No prof.log
==== No packet_filter.log
==== No loaded_scripts.log
ACNS Network Security
Colorado State University
"chop wood carry water"
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro