[Bro] Bro Cluster Missing Many HTTP Requests

Bible, Landy landy-bible at utulsa.edu
Wed Jun 17 09:17:47 PDT 2015

Hi All,

I'm just getting started with Bro. So far I'm really liking the data I get, even just out of the box. I've got one standalone host running with PF_RING enabled, 8 workers. I am also testing multi host clustering, and have two worker hosts running 6 workers each (again, with PF_RING) with the master and proxy running on a third host. All three worker hosts are being fed tap data from an Arista Networks 7150. The standalone host is getting data from a regular Tool port, and the other two are getting it from a PortChannel. Both tool ports are connected to the same Aggregation Group, so both Bro systems should be getting exactly the same data.

As expected, the standalone box has a much higher CPU load, and it occurred to me today that I should bump the number of workers down so I could free up a core for the manager. I got some stats from yesterday...

Single Bro Host
116,853 Packets Dropped (as reported by the notice logs)
56,827,921 Connections Logged (just a wc -l of the connection logs)
17,323,728 HTTP Requests Logged (just a wc -l of the http logs)

Bro Cluster
7 Packets Dropped
79,115,195 Connections Logged
7,436,365 HTTP Requests Logged

In addition to the packets being dropped by the host, I see a large number of TX drops on the Arista output for the single Bro host. I suspect that's due to the packet rate exceeding the capacity of the port occasionally, so I'm not too worried about that. And the CPU load on the single box vs the cluster explains why the cluster managed to snag so many more of the connections.  However, what has me very confused is how the cluster missed nearly 10 million HTTP requests relative to the single host, despite logging 25 million more connections. Both Bro systems are configured the same, loading the same scripts. So far I'm just using the out of the box config. The only difference is that I pulled the source from GitHub for the cluster the day after I did the standalone host.

Just looking for HTTP requests generated by my computer yesterday, the cluster snagged 120 of them while the standalone host got 416. Of those, 104 were common between the two logs.

Can someone point me towards where I should look to start trying to figure out why I'm getting such vastly different results from one system over the other? So far I'm not seeing anything obvious in any of the logs I've found.


Landy Bible
Information Security Analyst
The University of Tulsa
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150617/90d7af65/attachment.html 

More information about the Bro mailing list