[Bro-Dev] PF_RING cluster ID

William Jones jones at tacc.utexas.edu
Wed Aug 31 12:24:48 PDT 2011


You can divide the work up by using a pcap filters and specifying a different aux script for each work node.  I have set up one node to monitor a tagged 10 GigE VLAN that I use to peer with I2, NLR and the internet using a TAP.   Each worker mentors 1/8 the traffic on the I2, NLR and Internet connections. 

The second node monitors traffic from a mirrored 10 GigE interface.  Each works monitors 1/4 the traffic.

I haven't see any drops out of bro.


I use the following filter:

q1of8.bro:
    redef restrict_filters += { ["q1"] = "(ip[12:4] + ip[16:4]) & 7 == 1" };

q2of8.bro:
    redef restrict_filters += { ["q1"] = "(ip[12:4] + ip[16:4]) & 7 == 2" };
..
q8of8.bro:
    redef restrict_filters += { ["q1"] = "(ip[12:4] + ip[16:4]) & 7 == 7" };

Here the node file:

#
# Node configuration
#

[manager]
type=manager
host=homey.tacc.utexas.edu

[proxy-1]
type=proxy
host=homey.tacc.utexas.edu

[worker-1]
type=worker
host=mojo1.tacc.utexas.edu
interface=eth1.600 -i eth0.600 -i eth1.521 -i eth0.521 -i eth1.3021 -i eth0.3021  -C
aux_scripts=q0of8


[worker-2]
type=worker
host=mojo1.tacc.utexas.edu
interface=eth1.600 -i eth0.600 -i eth1.521 -i eth0.521 -i eth1.3021 -i eth0.3021  -C
aux_scripts=q1of8


[worker-3]
type=worker
host=mojo1.tacc.utexas.edu
interface=eth1.600 -i eth0.600 -i eth1.521 -i eth0.521 -i eth1.3021 -i eth0.3021  -C
aux_scripts=q2of8


[worker-4]
type=worker
host=mojo1.tacc.utexas.edu
interface=eth1.600 -i eth0.600 -i eth1.521 -i eth0.521 -i eth1.3021 -i eth0.3021  -C
aux_scripts=q3of8

[worker-5]
type=worker
host=mojo1.tacc.utexas.edu
interface=eth1.600 -i eth0.600 -i eth1.521 -i eth0.521 -i eth1.3021 -i eth0.3021  -C
aux_scripts=q4of8

[worker-6]
type=worker
host=mojo1.tacc.utexas.edu
interface=eth1.600 -i eth0.600 -i eth1.521 -i eth0.521 -i eth1.3021 -i eth0.3021  -C
aux_scripts=q5of8

[worker-7]
type=worker
host=mojo1.tacc.utexas.edu
interface=eth1.600 -i eth0.600 -i eth1.521 -i eth0.521 -i eth1.3021 -i eth0.3021  -C
aux_scripts=q6of8

[worker-8]
type=worker
host=mojo1.tacc.utexas.edu
interface=eth1.600 -i eth0.600 -i eth1.521 -i eth0.521 -i eth1.3021 -i eth0.3021  -C
aux_scripts=q7of8

[worker-9]
type=worker
host=homey1.tacc.utexas.edu
interface=eth3.2  -C
aux_scripts=q1

[worker-10]
type=worker
host=homey1.tacc.utexas.edu
interface=eth3.2  -C
aux_scripts=q2

[worker-11]
type=worker
host=homey1.tacc.utexas.edu
interface=eth3.2  -C
aux_scripts=q3

[worker-12]
type=worker
host=homey1.tacc.utexas.edu
interface=eth3.2  -C
aux_scripts=q0









-----Original Message-----
From: bro-dev-bounces at bro-ids.org [mailto:bro-dev-bounces at bro-ids.org] On Behalf Of Seth Hall
Sent: Wednesday, August 31, 2011 11:28 AM
To: Martin Holste
Cc: bro-dev
Subject: Re: [Bro-Dev] PF_RING cluster ID


On Aug 31, 2011, at 12:14 PM, Martin Holste wrote:

> PF_RING's greatest feature is the ability to do per-flow clustering so
> that many sniffers can run in parallel on their own CPU and each
> receive a portion of the traffic which has been load-balanced.  Snort
> and Suricata both support this, and we've come to rely on it as we
> don't have access to hardware load balancing.  Is there a way to do
> this in Bro?

Use the cluster deployment in BroControl and assign each of the virtual interfaces to a separate worker node.  Since you're running the git master though, keep in mind that the broctl master that is currently checked out has some problems.  I'll work on merging in our fixed branch today and I'll reply again once it's updated.

  .Seth


--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/


_______________________________________________
bro-dev mailing list
bro-dev at bro-ids.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev



More information about the bro-dev mailing list