[Bro] Alerting question on multi-homed bro box
Vern Paxson
vern at icir.org
Fri Apr 27 21:16:16 PDT 2007
To make sure I understand the scenario correctly: you have a single Bro
that has NICs to passively monitor both sides of your firewall, *and* the
firewall does NAT, so in fact across the two NICS Bro sees two distinct
connections rather than redundant packets for the same connections - is
that right?
If so, then I'm puzzled by the problem you're seeing. The first step
in debugging it would be to capture traces using both NICs (say using
two instances of tcpdump, one reading each NIC) and then
bro -r trace1 -r trace2
to process them together and see whether the same behavior manifests.
If it does, the next thing would be to merge thet traces (easiest
with ipsumdump --collate) and see whether the behavior still manifiests
from the single trace.
Vern
More information about the Bro
mailing list