[Bro] First time Bro Cluster Spin up

Dawson,Scottie scottie.Dawson at colostate.edu
Tue Nov 18 11:22:17 PST 2014


It was the Endace Capture card.

scott

"chop wood carry water"

From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Dawson,Scottie
Sent: Tuesday, November 18, 2014 7:17 AM
To: bro at bro-ids.org
Subject: Re: [Bro] First time Bro Cluster Spin up

Thank you both John and Keith for the suggestions.  I rebooted the server for good measure and re-ran the setcap command, with the same results in broctl.

worker-21 terminated immediately after starting; check output with "diag"

.....

Diag worker-21

...
....
==== stderr.log
fatal error: /usr/local/bro/bin/bro: problem with interface dag0:42 - pcap_open_live: dag0:42: dag_open /dev/dag0: Permission denied

.......


Is anyone using an Endace card in there cluster?  I am starting to suspect that the permissions issue has to do with how I am configuring and launching the capture card.  I am going to reach out to their support organization and see if there is a way to launch the card as a non root user.

I am sure I can get all this working with root but I am trying to avoid that.

Thanks again

scott

"chop wood carry water"

From: bro-bounces at bro.org<mailto:bro-bounces at bro.org> [mailto:bro-bounces at bro.org] On Behalf Of Dawson,Scottie
Sent: Monday, November 17, 2014 1:05 PM
To: bro at bro-ids.org<mailto:bro at bro-ids.org>
Subject: [Bro] First time Bro Cluster Spin up

Hi.

I am attempting to get a Bro cluster working and I get the following error for all my workers, (full output of diag below).   "fatal error: /usr/local/bro/bin/bro: problem with interface dag0:42 - pcap_open_live: dag0:42: dag_open /dev/dag0: Permission denied"

Thoughts on what I am missing?


Config:
I have an Endace DAG8.1SX set up to run with 22 streams.
1 Server set up to have 22 instances of BRO workers on it
1 server set up as the manager and prox
Using     libpcap-1.6.2
                dag-5.2.0.
                bro version 2.3.1



TS:


1.       I have run the following command on both the worker and the manager/proxy servers.

sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bro/bin/bro


2.       I can launch bro manually on the worker if I use sudo

acns-bro at endace:/usr/local/bro/bin$ sudo ./bro -i dag0:42
listening on dag0:42, capture length 8192 bytes

^C1416254260.140036 received termination signal
1416254260.140036 209 packets received on interface dag0:42, 0 dropped


3.       Manipulated the user launching bro (acns-bro) group permissions to be in the adm group



FULL OUTPUT of DIAG:
BroControl] > diag worker-21
[worker-21]

Bro 2.3.1
Linux 3.13.0-39-generic


==== No reporter.log

==== stderr.log
[dag_open] dag_clone dagfd for dagiom: Permission denied
fatal error: /usr/local/bro/bin/bro: problem with interface dag0:42 - pcap_open_live: dag0:42: dag_open /dev/dag0: Permission denied


==== stdout.log
max memory size         (kbytes, -m) unlimited
data seg size           (kbytes, -d) unlimited
virtual memory          (kbytes, -v) unlimited
core file size          (blocks, -c) unlimited

==== .cmdline
-i dag0:42 -U .status -p broctl -p broctl-live -p local -p worker-21 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto

==== .env_vars
PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site
CLUSTER_NODE=worker-21

==== .status
TERMINATED [atexit]

==== No prof.log

==== No packet_filter.log

==== No loaded_scripts.log



Scott Dawson
ACNS Network Security
Colorado State University
970-297-3712

"chop wood carry water"

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141118/1e295891/attachment.html 


More information about the Bro mailing list