[Bro] New Bro cluster
philosnef at gmail.com
Wed Nov 23 04:27:25 PST 2016
Re bro and pf_ring, I would recommend af_packet over pfring, if you are
running a recent OS that supports it in Bro (see earlier). This is because
af_packet comes built-in with your distro, and pf_ring is an addon. This
makes it easier to manage imo.
If you build pf_ring, you will need the kernel module and shared objects on
each box. Bro isn't going to put those there for you....
Moreover, I would highly recommend you build pf_ring as a module vrs
compiled into bro itself. Personal opinion though.
Pf_ring doesnt do loadbalancing on a link (it does it on the card between
threads), so if you want to balance over multiple bro boxes, you definitely
need something like a load balancing tap, a passive load balancer, or your
f5 (which I believe does 5 tuple balancing). Cue the
pleaselookatthelblpaperonloadbalancinga100giglink paper comments. :D
Hope this helps.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro