[Bro] Trying to get Bro to share Myricom cards with tcpdump or Snort

Michał Purzyński michalpurzynski1 at gmail.com
Fri Mar 20 08:38:53 PDT 2015


>From my Bro's node.cfg - look at the "env_vars". I don't use the
multi-application mode but that is how you pass the variables to Bro
workers.

[nsm7-eth4]
type=worker
host=a.b.c.d
interface=eth4
lb_method=myricom
lb_procs=12
pin_cpus=1,2,3,4,5,6,7,8,9,10,11,12
env_vars=SNF_DEBUG_MASK=0x3,SNF_DESCRING_SIZE=4294967296,SNF_DATARING_SIZE=17179869184


For other applications you will most likely have the modify the SO
startup/stop scripts, putting variables just before the application is
started.


On Fri, Mar 20, 2015 at 4:31 PM, Glenn Forbes Fleming Larratt
<gl89 at cornell.edu> wrote:
> I am using the Sniffer10G driver, and in support of getting proof of
> concept, dropped the number of workers/host from 12 to 11 (we're actually
> RAM-limited because of the quantity of data we're trying to process).
>
> Abridged utput of myri_endpoint_info:
> The myri_snf driver is configured to support a maximum of:
>         160 endpoints per NIC, 32 NICs per host
> ===================================================================
> Endpoint         PID             Command                 Info
> <ether>         none            none
> 32              43305           bro             rx handle (11 shared rings)
> 33              43304           bro             rx handle (11 shared rings)
> 34              43300           bro             rx handle (11 shared rings)
> 35              43302           bro             rx handle (11 shared rings)
> 36              43307           bro             rx handle (11 shared rings)
> 37              43303           bro             rx handle (11 shared rings)
> 38              43301           bro             rx handle (11 shared rings)
> 39              43306           bro             rx handle (11 shared rings)
> 40              43308           bro             rx handle (11 shared rings)
> 41              43310           bro             rx handle (11 shared rings)
> 42              43309           bro             rx handle (11 shared rings)
> 64              43306           bro             rx ring 0
> 65              43305           bro             rx ring 1
> 66              43307           bro             rx ring 2
> 67              43303           bro             rx ring 3
> 68              43302           bro             rx ring 4
> 69              43308           bro             rx ring 5
> 70              43309           bro             rx ring 6
> 71              43301           bro             rx ring 7
> 72              43300           bro             rx ring 8
> 73              43310           bro             rx ring 9
> 74              43304           bro             rx ring 10
> There are currently 22 regular endpoints open
>
>
> --
> Glenn Forbes Fleming Larratt
> Cornell University IT Security Office
>
> On Fri, 20 Mar 2015, Brandon Lattin wrote:
>
>> Just to verify, you're using the Sniffer10G v3 driver, yes?
>> Assuming you are, keep in mind that each interface is still limited to 32
>> ring buffers (this is what got me). So
>> plan on running something like 16 for Bro and 16 for Snort/Suricata.
>>
>> On Fri, Mar 20, 2015 at 10:18 AM, Glenn Forbes Fleming Larratt
>> <gl89 at cornell.edu> wrote:
>>       Folks,
>>
>>       Can anyone point to a Bro+Snort HOWTO that would help me get Myricom
>> cards
>>       to share?
>>
>>       1. Following the directions at
>>
>>
>> https://www.myricom.com/software/sniffer10g/995-how-can-i-direct-sniffer10g-traffic-to-multiple-applications-us
>>       ing-snf-app-id.html
>>
>>       doesn't really help, because my Bro deployment is a cluster, and the
>>       environmental variables don't propagate to my worker hosts - in
>> fact,
>>       /proc/{bro_pid}/environ is 0-length on all the processes on the
>> worker
>>       hosts.
>>
>>       2. I tried to reverse-engineer how Security Onion does it, but I
>> didn't
>>       really glean anything that would help.
>>
>>       Thanks for any info,
>>       --
>>       Glenn Forbes Fleming Larratt
>>       Cornell University IT Security Office
>>       _______________________________________________
>>       Bro mailing list
>>       bro at bro-ids.org
>>       http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
>>
>>
>> --
>> Brandon LattinSecurity Analyst
>> University of Minnesota - University Information Security
>> Office: 612-626-6672
>>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


More information about the Bro mailing list