[Bro] Using native PF_RING plugin with broctl

Mark Buchanan mabuchan at gmail.com
Mon Feb 27 11:41:50 PST 2017


There is a glitch that Justin and I worked through a few weeks ago with the
PF_RING (native) support in Bro 2.5.  Try adding these two items to your
/opt/bro/etc/broctl.conf file:

PFRINGClusterID = 21
PFRINGClusterType = 6-tuple

The issue is there is some broken login in a file that defaults the
ClusterID to zero (0) and at the same time that doesn't split the packets
out of the PF_RING interface as it should, which results in all workers
getting all packets (as you described).  So long as the PFRINGClusterID is
anything aside from zero (0), I believe it will fix the issue.  I add the
ClusterType just as a safety net to ensure you get decent distribution of
packets.  Other modes (5-tuple, 4-tuple or 2-tuple) should also be valid.
FYI - the 6th tuple is VLAN, so it may be more benificial to use 5-tuple in
some environments.

If those items are in  your broctl.conf file, then I'm a bit lost, but I've
been fighting with PF_RING over the past few weeks and this has allowed for
a repeatable process for myself.

This is also assuming you use in the node.cfg:
interface = eth0
lb_method = pf_ring

Additionally, the PF_RING module (new in 2.5) I believe suffers from the
same glitch or possibly another one.  I know roughly how to fix it, but
have time to validate and push back upstream.

Mark

On Mon, Feb 27, 2017 at 1:19 PM, Gary Faulkner <gfaulkner.nsm at gmail.com>
wrote:

> When you built Bro did you also configure/make/make install the pf_ring
> plugin? My recollection is that the plugins are not automatically built
> when you build bro. They should be in the
> <path-to-bro-source>/aux/plugins/ in the source tree. They typically
> install into <path-to-bro>/lib/bro/plugins/.
>
> ~Gary
>
> On 2/27/17 12:51 PM, Jullian Remi wrote:
> > I installed bro using the following commands:
> >
> > ./configure --prefix=/usr/local/bro/
> > make
> > sudo make install
> >
> > Then, bro is started using broctl install, followed by broctl start.
> >
> > I have only one version of bro installed, the stable version 2.5
> > (Released Nov 16, 2016).
> >
> > I was referring to the environment variables such as PATH, BROPATH or
> > CLUSTER_NODE, contained in ${PREFIX}/spool/worker-X/.env_vars, and
> > generated by the wrapper script ${PREFIX}/share/broctl/scripts/run-bro.
> >
> > I forgot to mention that without using the native PF_RING plugin, I am
> > able to use PF_RING with the dedicated libpcap, such as explained here:
> > https://www.bro.org/sphinx/configuration/index.html#pf-
> ring-cluster-configuration.
> >
> >
> > Therefore, I don't think that this issue is related to the pf_ring
> > network driver or something like that, but rather to bro or broctl that
> > does not set the right configuration to enable the plugin.
> >
> > Rémi
> >> How did you install bro?  Do you have more than one version of bro
> installed?
> >>
> >> What environment variables are you referring to?
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



-- 
Mark Buchanan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170227/81edc7f2/attachment.html 


More information about the Bro mailing list