[Bro] Just installed bro cluster

Seth Hall hall.692 at osu.edu
Fri Jun 19 12:36:00 PDT 2009 

Interesting.  If you can make it break reliably, please file a ticket  
at http://tracker.icir.org/bro

Thanks!
   .Seth


On Jun 19, 2009, at 3:18 PM, William L. Jones wrote:

> Found my earlier problem.  If a name the works  
> "work1,work2,..,worknn" the node configuration works.  If I name the  
> works "I2,NLR and internet" I run into my communication problem.
>
> Bill Jones
>
> -----Original Message-----
> From: Seth Hall [mailto:hall.692 at osu.edu]
> Sent: Friday, June 19, 2009 1:17 PM
> To: William L. Jones
> Cc: Bro List
> Subject: Re: [Bro] Just installed bro cluster
>
>
> On Jun 19, 2009, at 1:50 PM, William L. Jones wrote:
>
>> * The interface definition needs to allow multiple interfaces to be
>> specified. In my the output of a tap is  feed in a dual port 10 GigE
>> card so I have to have bro read from two network interfaces. Right
>> now you can work around the problem by just adding -I <second
>> interface> on the node interface configuration line but I think it
>> deserves a more formal solution.
>
> I've thought about asking Robin to add this feature too, but it's
> probably better to bind your interfaces together at a lower level.
> The easy way of doing it is to create a bridge and bind all of the
> interfaces you want to sniff attached to the bridge.  Then you only
> need to define a single interface in your Bro configuration.  You
> could also do it with the netgraph subsystem FreeBSD too, but that's a
> bit more complicated.
>
>> * One of my 10 GigE circuits has 3 vlans on it which show up as 6
>> interfaces.  With the non cluster version of bro I just ran with 3
>> different configuration files and kept logs and reports in three
>> separate directories. One important side affect was that it allowed
>> 3 separate instances of bro so that the system could spread the load
>> across multiple cpus instead of one. With bro cluster I could not
>> run 3 bro works on one machine due to the way the works and server
>> talk to each other.  I think it would be an important enhancements
>> to bro cluster to allow multiple bro work instances on the same
>> machine.
>
> That already works.  In your node.cfg file, you just need to define
> multiple workers and give them the same host option, but give them
> each their own interface to sniff.  I'm using this on my cluster now
> to help make better use of the available cores until the multi-core
> work is functional.
>
>   .Seth
>
> ---
> Seth Hall
> Network Security - Office of the CIO
> The Ohio State University
> Phone: 614-292-9721
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721

More information about the Bro mailing list