[Bro] Multiple Capture Interfaces

Alan J. Meeks alan.meeks at angelo.edu
Thu Jun 10 13:50:53 PDT 2010 

Sam,

Here is my node.cfg below:

# $Id: node.cfg.standalone.in 6811 2009-07-06 20:41:10Z robin $
#
# Node configuration for a non-cluster, single-instance setup.
#

[bro]
type=standalone
host=localhost
interface=eth0

-----Original Message-----
From: Sam Oehlert [mailto:soehlert at ncsa.uiuc.edu] 
Sent: Thursday, June 10, 2010 3:49 PM
To: Alan J. Meeks
Subject: Re: [Bro] Multiple Capture Interfaces

I see, I didn't think you installed broctl. I wonder if that is why the command hangs. What does your node.cfg look like?

Sam

----- Original Message -----
From: "Alan J. Meeks" <alan.meeks at angelo.edu>
To: "Sam Oehlert" <soehlert at ncsa.uiuc.edu>
Sent: Thursday, June 10, 2010 3:46:54 PM
Subject: RE: [Bro] Multiple Capture Interfaces

Well, you see that's interesting. I've been starting Bro through
./broctl. When I try to run Bro -i eth0 -i eth1 and so on, the command
hangs and bro does not start.

-----Original Message-----
From: Sam Oehlert [mailto:soehlert at ncsa.uiuc.edu]
Sent: Thursday, June 10, 2010 3:38 PM
To: Alan J. Meeks
Subject: Re: [Bro] Multiple Capture Interfaces

I'm sure there is a better way to do this long term, but if you use the
i flag when calling bro, you can use multiple interfaces. Look at the i
flag here: http://www.bro-ids.org/Bro-reference-manual/Flags.html

Sam

----- Original Message -----
From: "Alan J. Meeks" <alan.meeks at angelo.edu>
To: "Sam Oehlert" <soehlert at ncsa.uiuc.edu>
Sent: Thursday, June 10, 2010 3:32:30 PM
Subject: RE: [Bro] Multiple Capture Interfaces

The server has 4 ethernet interfaces in it that I have configured 3
connected to taps and one to a regular switchport/local subnet. My Bro
installation can currently only capture from one at a time, whichever
one I have specified in /user/local/bro/etc/node.cfg in the interface
entry.

I am hoping to be able to specify more than one capture interface at a
time.


-----Original Message-----
From: Sam Oehlert [mailto:soehlert at ncsa.uiuc.edu]
Sent: Thursday, June 10, 2010 3:30 PM
To: Alan J. Meeks
Subject: Re: [Bro] Multiple Capture Interfaces

I'm sorry, I am not understanding which four interfaces you are talking
about.

----- Original Message -----
From: "Alan J. Meeks" <alan.meeks at angelo.edu>
To: "Sam Oehlert" <soehlert at ncsa.uiuc.edu>
Sent: Thursday, June 10, 2010 3:27:32 PM
Subject: RE: [Bro] Multiple Capture Interfaces

Just trying to get the 4 interfaces recognized as capture interfaces.

-----Original Message-----
From: Sam Oehlert [mailto:soehlert at ncsa.uiuc.edu]
Sent: Thursday, June 10, 2010 3:27 PM
To: Alan J. Meeks
Subject: Re: [Bro] Multiple Capture Interfaces

Alan,

That does answer the question I had. I just realized I may have misread
your email, however. Are you attempting to use a cluster setup, or are
you just wanting to use multiple NICs or what? Also, CentOS 5.5 is what
I used for this too, so I have some experience getting it up and running
on there.

Sam

----- Original Message -----
From: "Alan J. Meeks" <alan.meeks at angelo.edu>
To: "Sam Oehlert" <soehlert at ncsa.uiuc.edu>
Cc: bro at ICSI.Berkeley.EDU
Sent: Thursday, June 10, 2010 3:24:28 PM
Subject: RE: [Bro] Multiple Capture Interfaces

Sam,

I believe I installed in a non-clustered or standalone mode. Ran the
./configure, make and make install after ensuring I got all the prereqs
on the server.

I also forgot to mention I was not in the position where I could pick
and choose my hardware and could not get BSD installed. I had to fall
back to CentOS 5.5.

Not sure if that answers your question.




-----Original Message-----
From: Sam Oehlert [mailto:soehlert at ncsa.uiuc.edu]
Sent: Thursday, June 10, 2010 3:20 PM
To: Alan J. Meeks
Cc: bro at ICSI.Berkeley.EDU
Subject: Re: [Bro] Multiple Capture Interfaces

What installation steps did you follow? I had problems getting a cluster
up and running because I was installing it incorrectly at first.

Sam

----- Original Message -----
From: "Alan J. Meeks" <alan.meeks at angelo.edu>
To: "bro at ICSI.Berkeley.EDU" <bro at ICSI.Berkeley.EDU>
Sent: Thursday, June 10, 2010 3:17:12 PM
Subject: [Bro] Multiple Capture Interfaces

I am a new user of Bro. I’ve installed ver 1.5.1 and I can run just fine
with a single interface (whichever one is specified in node.cfg) but I
can’t seem to get other capture interfaces running. I am set up with 4
ethernet interfaces, three of which are taps to different locations
within my network and one to the local subnet where the server is
located.



What additional information can I provide that might help identify the
issue?





Alan Meeks

Information Security Analyst

Angelo State University

www.angelo.edu

325-942-2333 phone

325-942-2109 fax


_______________________________________________ Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list