[Bro] Just installed bro cluster

William L. Jones jones at tacc.utexas.edu
Fri Jun 19 12:05:33 PDT 2009 

Thanks your node configuration suggestion did work. I am not sure what my earlier problem was, probably just an a typo.

Bill Jones



-----Original Message-----
From: Seth Hall [mailto:hall.692 at osu.edu] 
Sent: Friday, June 19, 2009 1:17 PM
To: William L. Jones
Cc: Bro List
Subject: Re: [Bro] Just installed bro cluster


On Jun 19, 2009, at 1:50 PM, William L. Jones wrote:

> * The interface definition needs to allow multiple interfaces to be  
> specified. In my the output of a tap is  feed in a dual port 10 GigE  
> card so I have to have bro read from two network interfaces. Right  
> now you can work around the problem by just adding -I <second  
> interface> on the node interface configuration line but I think it  
> deserves a more formal solution.

I've thought about asking Robin to add this feature too, but it's  
probably better to bind your interfaces together at a lower level.   
The easy way of doing it is to create a bridge and bind all of the  
interfaces you want to sniff attached to the bridge.  Then you only  
need to define a single interface in your Bro configuration.  You  
could also do it with the netgraph subsystem FreeBSD too, but that's a  
bit more complicated.

> * One of my 10 GigE circuits has 3 vlans on it which show up as 6  
> interfaces.  With the non cluster version of bro I just ran with 3  
> different configuration files and kept logs and reports in three  
> separate directories. One important side affect was that it allowed  
> 3 separate instances of bro so that the system could spread the load  
> across multiple cpus instead of one. With bro cluster I could not  
> run 3 bro works on one machine due to the way the works and server  
> talk to each other.  I think it would be an important enhancements  
> to bro cluster to allow multiple bro work instances on the same  
> machine.

That already works.  In your node.cfg file, you just need to define  
multiple workers and give them the same host option, but give them  
each their own interface to sniff.  I'm using this on my cluster now  
to help make better use of the available cores until the multi-core  
work is functional.

   .Seth

---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721

More information about the Bro mailing list