[Bro] A few questions

Powell, Scott powellsm at musc.edu
Tue Feb 2 07:56:38 PST 2010


Justin,

Thanks for the reply. After some further investigation the issue appears to be CPU related. My bro process on worker-1 (which has my external Internet TAP connected to eth1) was using 100% of a CPU core. I turned off http-request and http-reply analysis and I'm now seeing CPU percentage between 60% and 90% with upwards of a 90% packet received rate.

My concern is these machines have 2 x AMD Opteron Quad Core 2.1 GHz processors and yet Bro cannot keep up with the out of the box policy configuration. Also, it seems all of my analysis is being done on one core of the worker with the TAP. Why isn't the analysis being spread across the other workers? They seem to be sitting idle.

Thanks for the other tuning suggestions. I have implemented those as well.

-Scott

-----Original Message-----
From: Justin Azoff [mailto:JAzoff at uamail.albany.edu] 
Sent: Tuesday, February 02, 2010 8:44 AM
To: Powell, Scott
Cc: bro at ICSI.Berkeley.EDU
Subject: Re: [Bro] A few questions

On Mon, Feb 01, 2010 at 02:53:05PM -0500, Powell, Scott wrote:
> Good afternoon. I am still relatively new to Bro and working on building a
> cluster here at MUSC. In the process of setting up and configuring the IDS I
> have run into some issues and would like to ask the list a few questions.
> 
> 
> 1)      Is Linux even a reliable platform to think about using for Bro? Based
> on my experience the logs seem to be missing traffic. I have been making
> connections in and out of our network that pass through our network TAP and
> Bro does not always log them. Upon further investigation it appears that
> packets are being dropped (based on broctl netstats worker-1). I attempted to
> use pf_ring and compile Bro with libpcap-1.0.0-ring. This seemed to help some
> but not a lot.

Try the following in /etc/sysctl.conf

net.core.rmem_max = 33554432
net.core.netdev_max_backlog = 10000
net.core.rmem_default = 33554432

What output do you get from capstats?

How much CPU is your bro process using?  As long as it isn't maxing out a cpu
core, it shouldn't be dropping packets.  If it is maxing out the cpu, then the
problem isn't with capturing, it is with doing too much analysis.  If you have
an ethernet card that uses the igb driver you can try the pf_ring tn_api stuff:

http://www.ntop.org/TNAPI.html

you can use it to run a single node bro cluster with each worker capturing from
eth0 at 0,eth0 at 1,eth0 at 2,eth0 at 3

> 2)      In regards to question #1, am I interpreting the output of broctl
> netstats correctly? Specifically if my dropped number is higher than my recvd
> number then that means Bro is processing < 50% of my network traffic?

What version of bro are you running?  in 1.4.x the pcap stats for dropped
packets were recorded incorrectly on linux.  I see some ammount of dropped
packets, but usually less than 1 percent.

> 3)      In the "diag" output I see that the workers are reporting "pcap
> bufsize = 8192". Is this tunable on Linux? Are there any other suggestions
> for Linux tuning to decrease the amount of dropped packets?
> 
> 
> 
> 4)      Is anyone else running a reliable, stable Bro cluster on Linux?

I've been running bro on linux for years now...

> We are using RedHat Enterprise Linux 5.4, 64-bit.

Debian 64bit :-)

-- 
-- Justin Azoff
-- Security & Network Performance Analyst




More information about the Bro mailing list