[Bro] Triplicate Entries in CONN Log

Philip Romero promero at cenic.org
Tue Jan 2 13:42:00 PST 2018


Justin,

Thanks for the quick response. Our Systems team assures me the pf_ring
is compiled correctly and provided the below output. We have some ACL's
in place that makes it difficult to load the bro-doctor pkg you mention
easily, but will work towards getting that tool in place. In the
meantime, is there anything about the below output that looks out of
place or missing?  We'll also be setting the pfringclusterid in the
broctl.cfg to see if that fixes the issue.

# ldd /usr/local/bin/bro | grep pcap
libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x00007f5473516000)
# strings /usr/local/lib/libpcap.so.1 | grep pfring | tail -n3
pfring_mod_open
pfring_mod_get_bound_device_address
pfring_hw_ft_remove_hw_rule

Philip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180102/68df8f41/attachment.html 


More information about the Bro mailing list