[Bro] multiple workers per cluster node

William Jones jones at tacc.utexas.edu
Fri Mar 4 15:52:23 PST 2011


Instead of 

For each worker I have this:
[nids-21a]
type=worker
host=10.142.148.21
interface=eth4

[nids-21b]
type=worker
host=10.142.148.21
interface=eth5

Try:

For each worker I have this:
[nids-21]
type=worker
host=10.142.148.21
interface=eth4 -Ieth5

If you node had motile nodes you can write a pcap filter to split the ip space into multiples of 2,4 or 8 and run 2, 4, or 8 instance on the node.

This set up allow one bro instance to see by sides of the same flow and will allow you to take advanced of all the cpu on a node. 

Bill Jones




-----Original Message-----
From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Dop
Sent: Friday, March 04, 2011 4:30 PM
To: bro at bro-ids.org
Subject: [Bro] multiple workers per cluster node

Hopefully quick question.  How would you go about configuring Bro cluster
nodes to each run dual clients (one per input interface)?

Ie, all of my systems have input sources on eth4 and eth5.  Instead of
bonding those together and running a single Bro thread on bond0, I'd
rather have two.  Something is getting super confused when I try to do it:

For each worker I have this:
[nids-21a]
type=worker
host=10.142.148.21
interface=eth4

[nids-21b]
type=worker
host=10.142.148.21
interface=eth5


[BroControl] > start
starting manager ...
starting proxy-1 ...
starting nids-21a ...
starting nids-21b ...
starting nids-22a ...
starting nids-22b ...
starting nids-23a ...
starting nids-23b ...
starting nids-24a ...
starting nids-24b ...
(nids-22a still initializing)
(nids-21b still initializing)
(nids-23b still initializing)
(nids-21a still initializing)


What's strange is that it seems to fail unevenly.  Fails totally on 21,
partially on 22 and 23, but works on 24.  It's always the same nodes
failing.

Thanks,
-Dop



_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro




More information about the Bro mailing list