From djteller at gmail.com Tue Nov 1 01:26:20 2011 From: djteller at gmail.com (Tomer Teller) Date: Tue, 1 Nov 2011 10:26:20 +0200 Subject: [Bro] Bro performance issues In-Reply-To: <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> Message-ID: I installed Bro 2.0-beta on my machine. I have to say that it was quick, easy and without any problems :) I removed libpcap0.8 before the installation, installed PF_RING along with libpcap-1.1.1-ring which BRO is now using. libpcap.so.1 => /usr/local/lib/libpcap.so.1 libpfring.so => /usr/local/lib/libpfring.so I configured the node.cfg and added: 1 manager 1 proxy 2 workers - sniffing the same interface * All the nodes are on the same localhost I'm replaying a big pcap file with 680000 packets and expecting to see some load-balancing between the 2 nodes (that are running on different cores). I am using the 'netstats' command in broctl and expecting to see that half (or at least some) of the traffic goes to worker-1 and the rest to worker-2 (i.e. The sum of both workers packet received = 680000 ~) I see that worker-1 took everything. worker-1: 1320163523.794836 recvd=638311 dropped=31948 link=670259 And i'm assuming that worker-2 also got everything (duplicate). How do I load-balance between the two workers on the same machine? Also I noticed minor bugs: [BroControl] > netstats worker-3: [BroControl] > scripts proxy-1 is ok. cat: loaded_scripts*: No such file or directory worker-1 is ok. cat: loaded_scripts*: No such file or directory worker-3 is ok. cat: loaded_scripts*: No such file or directory On Mon, Oct 31, 2011 at 7:33 PM, Seth Hall wrote: > > On Oct 31, 2011, at 1:08 PM, Tomer Teller wrote: > > > Do you mean PF_RING with front-end solution such as click router? > > Is it possible to run everything on a single machine? > > > Martin is referring to clustering in PF_RING. It will split your traffic > into bidirectional flows within your kernel and it easy to configure with > Bro 2.0-beta (I wouldn't try it with 1.5, it would be a bit of a mess). If > you're running with broctl it will mostly just work with PF_RING out of the > box including clustering, you just need to make sure you're building > against the correct libpcap using PF_RING's libpcap wrapper and then all of > your workers you configure in broctl's node.cfg file should sniff the same > interface. > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111101/c4695933/attachment.html From gregor at icir.org Tue Nov 1 05:57:39 2011 From: gregor at icir.org (Gregor Maier) Date: Tue, 01 Nov 2011 05:57:39 -0700 Subject: [Bro] Bro performance issues In-Reply-To: References: Message-ID: <4EAFECC3.9020303@icir.org> In terms of performance please note that using the new_packet() event generates a lot of overhead so the performance you see is going to be significantly worse than in "normal" operation. cu gregor On 10/30/11 2:46 , Tomer Teller wrote: > Hey all, > > I am testing Bro's performance using tcpreplay for some project of mine. > > I am using a packet capture of 680000 packets using different rates to > check for packet loss. > > tcpreplay -i eth0 --mbps=X 680000.pcap (where X = 1000,500,100,10) > > I am registered on the new_packet event in order to count packets like so: > > global ctr = 0; > event new_packet (c: connection,p: pkt_hdr) > { > ctr = ctr + 1; > ... > } > > I write to log every time ctr % 100,000 = 0 to avoid unnecessary I/O to > disk. > > On the sender side i see that all packet was transmitted successfully as > well as on the receiver side (using tcpdump), i.e. it is not libpcap issue. > > Bro on the other hand, doesn't see all 680000, he sees around 540,000. > > I also used smaller packet captures (10/30/100 packets), again, bro does > not see all packets. > Note! Packet captures are valid (checksum) HTTP connections that i > recorded for testing. > > I tried removing some analyzers using broctl as well as modifying local.bro. > Also followed the Bro performance tuning. > > Nothing helps, Bro does not see all the packets. > > Any ideas what is the problem? > > > > > > > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- Gregor Maier Int. Computer Science Institute (ICSI) 1947 Center St., Ste. 600 Berkeley, CA 94704, USA http://www.icir.org/gregor/ From mcholste at gmail.com Tue Nov 1 07:02:06 2011 From: mcholste at gmail.com (Martin Holste) Date: Tue, 1 Nov 2011 09:02:06 -0500 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> Message-ID: Looks like only one worker is even alive. There should be no tweaking necessary to get the load-balancing to occur, so there's a fundamental problem if it's not happening. It sounds like you've already got the installation done, but I have a quick howto here: ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.html. I would suggest trying a clean install to a different directory and copying the config files over if you continue to have issues. On Tue, Nov 1, 2011 at 3:26 AM, Tomer Teller wrote: > I installed Bro 2.0-beta on my machine. > I have to say that it was quick, easy and without any problems :) > I removed libpcap0.8 before the installation, installed PF_RING along with > libpcap-1.1.1-ring which BRO is now using. > libpcap.so.1 => /usr/local/lib/libpcap.so.1 > libpfring.so => /usr/local/lib/libpfring.so > I configured the node.cfg and added: > 1 manager > 1 proxy > 2 workers ?- sniffing the same interface > * All the nodes are on the same localhost > I'm replaying a big pcap file with 680000 packets and expecting to see some > load-balancing between the 2 nodes (that are running on different cores). > I am using the 'netstats' command in broctl and expecting to see that half > (or at least some) of the traffic goes to worker-1 and the rest to worker-2 > (i.e. The sum of both workers packet received = 680000 ~) > I see that worker-1 took everything. > worker-1: 1320163523.794836 recvd=638311 dropped=31948 link=670259 > And i'm assuming that worker-2 also got everything (duplicate). > How do I load-balance between the two workers on the same machine? > Also I noticed minor bugs: > [BroControl] > netstats > ? worker-3: > [BroControl] > scripts > proxy-1 is ok. > ? cat: loaded_scripts*: No such file or directory > worker-1 is ok. > ? cat: loaded_scripts*: No such file or directory > worker-3 is ok. > ? cat: loaded_scripts*: No such file or directory > > > > On Mon, Oct 31, 2011 at 7:33 PM, Seth Hall wrote: >> >> On Oct 31, 2011, at 1:08 PM, Tomer Teller wrote: >> >> > Do you mean PF_RING with front-end solution such as click router? >> > Is it possible to run everything on a single machine? >> >> >> Martin is referring to clustering in PF_RING. ?It will split your traffic >> into bidirectional flows within your kernel and it easy to configure with >> Bro 2.0-beta (I wouldn't try it with 1.5, it would be a bit of a mess). ?If >> you're running with broctl it will mostly just work with PF_RING out of the >> box including clustering, you just need to make sure you're building against >> the correct libpcap using PF_RING's libpcap wrapper and then all of your >> workers you configure in broctl's node.cfg file should sniff the same >> interface. >> >> ?.Seth >> >> -- >> Seth Hall >> International Computer Science Institute >> (Bro) because everyone has a network >> http://www.bro-ids.org/ >> > > From seth at icir.org Tue Nov 1 07:05:58 2011 From: seth at icir.org (Seth Hall) Date: Tue, 1 Nov 2011 10:05:58 -0400 Subject: [Bro] Bro performance issues In-Reply-To: <4EAFECC3.9020303@icir.org> References: <4EAFECC3.9020303@icir.org> Message-ID: <2FD2D969-98AD-4657-A0FE-C24C9EB3626E@icir.org> On Nov 1, 2011, at 8:57 AM, Gregor Maier wrote: > In terms of performance please note that using the new_packet() event > generates a lot of overhead so the performance you see is > going to be significantly worse than in "normal" operation. Oh, good point. I should add something to the warnings file that prints out if you are handling that event to make sure people understand how badly it can impact performance. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From seth at icir.org Tue Nov 1 07:08:52 2011 From: seth at icir.org (Seth Hall) Date: Tue, 1 Nov 2011 10:08:52 -0400 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> Message-ID: <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> On Nov 1, 2011, at 4:26 AM, Tomer Teller wrote: > I configured the node.cfg and added: > 1 manager > 1 proxy > 2 workers - sniffing the same interface Could you send the content of your node.cfg file? I noticed in your broctl session you sent, there was a reference to worker-3 which isn't represented in your description. Thanks, .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From djteller at gmail.com Wed Nov 2 08:45:38 2011 From: djteller at gmail.com (Tomer Teller) Date: Wed, 2 Nov 2011 17:45:38 +0200 Subject: [Bro] Bro performance issues In-Reply-To: <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> Message-ID: This is my node.cfg config file: [manager] type=manager host=localhost [proxy-1] type=proxy host=localhost [worker-1] type=worker host=localhost interface=em0 [worker-2] type=worker host=localhost interface=em0 I am running on Bro 2.0 Beta. I am replying a 680000 packets pcap file to the machine. When running broctl's netstats, this is what i see: worker-1: 1320276618.514073 recvd=669576 dropped=0 link=669576 worker-2: 1320276618.714115 recvd=669576 dropped=0 link=669576 I expect to see load-balance between worker-1 and worker-2 but they are getting the same traffic. I decided to patch Bro in order to "support" that load-balancing. I edited PktSrc::Process() (PktSrc.cc) and added my own code to distinguish between processes (i.e. worker-1, worker-2). Then looked at the data variable, extracted the ip src & dst and checked for -> (ipSRC ^ ipDST) % 2 == 0 Worker-1 gets all the Even Result, Worker-2 gets all the Odd Results Also had to play around with (++stats.received) to reflect the new changes. This small patch dramatically improved my performance. On Tue, Nov 1, 2011 at 4:08 PM, Seth Hall wrote: > > On Nov 1, 2011, at 4:26 AM, Tomer Teller wrote: > > > I configured the node.cfg and added: > > 1 manager > > 1 proxy > > 2 workers - sniffing the same interface > > Could you send the content of your node.cfg file? I noticed in your > broctl session you sent, there was a reference to worker-3 which isn't > represented in your description. > > Thanks, > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111102/6922dcbe/attachment.html From rodrigue.alahassa at gmail.com Wed Nov 2 08:47:07 2011 From: rodrigue.alahassa at gmail.com (Rodrigue ALAHASSA) Date: Wed, 2 Nov 2011 16:47:07 +0100 Subject: [Bro] (no subject) Message-ID: Hi, I just read an article ( http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.70.824&rep=rep1&type=pdf) which compares performances of Bro and Snort. The authors stated at section 5.6 that Bro does not have a Unicode decoder for HTTP URI. Since their work were based on Bro 0.9a9, I guess this is not applicable for the current versions of Bro. Can someone confirm or infirm my point of view ? Thanks. -- SLt COC ALAHASSA 161 POL Professeur Georges LEMAITRE -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111102/084b1853/attachment.html From seth at icir.org Wed Nov 2 08:48:24 2011 From: seth at icir.org (Seth Hall) Date: Wed, 2 Nov 2011 11:48:24 -0400 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> Message-ID: On Nov 2, 2011, at 11:45 AM, Tomer Teller wrote: > When running broctl's netstats, this is what i see: > > worker-1: 1320276618.514073 recvd=669576 dropped=0 link=669576 > worker-2: 1320276618.714115 recvd=669576 dropped=0 link=669576 > > I expect to see load-balance between worker-1 and worker-2 but they are getting the same traffic. Can you send the output of: broctl config | grep -i pfring and: ldd /bin/bro Thanks, .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From seth at icir.org Wed Nov 2 08:57:41 2011 From: seth at icir.org (Seth Hall) Date: Wed, 2 Nov 2011 11:57:41 -0400 Subject: [Bro] (no subject) In-Reply-To: References: Message-ID: <30CB2422-EAC2-4D82-A1E1-9ECE79FA58AF@icir.org> On Nov 2, 2011, at 11:47 AM, Rodrigue ALAHASSA wrote: > I just read an article (http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.70.824&rep=rep1&type=pdf) which compares performances of Bro and Snort. The authors stated at section 5.6 that Bro does not have a Unicode decoder for HTTP URI. Since their work were based on Bro 0.9a9, I guess this is not applicable for the current versions of Bro. > > Can someone confirm or infirm my point of view ? Bro does not consider unicode in any way right now. Strings are only considered to be strings of individual bytes but low order ascii characters will be printed as such. Does that answer your question? I've been thinking about how to appropriately add unicode support for quite a while but I don't have a completely clear notion yet. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From jones at tacc.utexas.edu Wed Nov 2 12:41:29 2011 From: jones at tacc.utexas.edu (William Jones) Date: Wed, 2 Nov 2011 19:41:29 +0000 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> Message-ID: Try the following pcap filtering trick: ' [manager] type=manager host=localhost [proxy-1] type=proxy host=localhost [worker-1] type=worker host=localhost interface=em0 aux_scripts=q1of2 [worker-2] type=worker host=localhost aux_scripts=q2of2 Add the following scripts in share/bro/site q1of2.bro: redef restrict_filters += { ["q0"] = "(ip[12:4] + ip[16:4]) & 1 == 0" }; q2of2.bro: redef restrict_filters += { ["q0"] = "(ip[12:4] + ip[16:4]) & 1 == 1" }; This will split input between the two bro workers. ~ From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Tomer Teller Sent: Wednesday, November 02, 2011 10:46 AM To: Seth Hall Cc: bro at bro-ids.org Subject: Re: [Bro] Bro performance issues This is my node.cfg config file: [manager] type=manager host=localhost [proxy-1] type=proxy host=localhost [worker-1] type=worker host=localhost interface=em0 [worker-2] type=worker host=localhost interface=em0 I am running on Bro 2.0 Beta. I am replying a 680000 packets pcap file to the machine. When running broctl's netstats, this is what i see: worker-1: 1320276618.514073 recvd=669576 dropped=0 link=669576 worker-2: 1320276618.714115 recvd=669576 dropped=0 link=669576 I expect to see load-balance between worker-1 and worker-2 but they are getting the same traffic. I decided to patch Bro in order to "support" that load-balancing. I edited PktSrc::Process() (PktSrc.cc) and added my own code to distinguish between processes (i.e. worker-1, worker-2). Then looked at the data variable, extracted the ip src & dst and checked for -> (ipSRC ^ ipDST) % 2 == 0 Worker-1 gets all the Even Result, Worker-2 gets all the Odd Results Also had to play around with (++stats.received) to reflect the new changes. This small patch dramatically improved my performance. On Tue, Nov 1, 2011 at 4:08 PM, Seth Hall > wrote: On Nov 1, 2011, at 4:26 AM, Tomer Teller wrote: > I configured the node.cfg and added: > 1 manager > 1 proxy > 2 workers - sniffing the same interface Could you send the content of your node.cfg file? I noticed in your broctl session you sent, there was a reference to worker-3 which isn't represented in your description. Thanks, .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111102/7e784ba0/attachment.html From seth at icir.org Wed Nov 2 12:58:10 2011 From: seth at icir.org (Seth Hall) Date: Wed, 2 Nov 2011 15:58:10 -0400 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> Message-ID: <1F51E73B-B36C-476C-93A2-98265A0F6FE7@icir.org> On Nov 2, 2011, at 3:41 PM, William Jones wrote: > Try the following pcap filtering trick: > [worker-1] > type=worker > host=localhost > interface=em0 > aux_scripts=q1of2 Nice one! In the 2.0-beta you don't even need to define that aux_scripts field either. You should be able to just make files named worker-1.local.bro and worker-2.local.bro in your /share/bro/site/ directory and they will automatically get loaded by the correct nodes. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From jones at tacc.utexas.edu Wed Nov 2 14:31:44 2011 From: jones at tacc.utexas.edu (William Jones) Date: Wed, 2 Nov 2011 21:31:44 +0000 Subject: [Bro] Bro performance issues In-Reply-To: <1F51E73B-B36C-476C-93A2-98265A0F6FE7@icir.org> References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> <1F51E73B-B36C-476C-93A2-98265A0F6FE7@icir.org> Message-ID: Nice! -----Original Message----- From: Seth Hall [mailto:seth at icir.org] Sent: Wednesday, November 02, 2011 2:58 PM To: William Jones Cc: 'Tomer Teller'; bro at bro-ids.org Subject: Re: [Bro] Bro performance issues On Nov 2, 2011, at 3:41 PM, William Jones wrote: > Try the following pcap filtering trick: > [worker-1] > type=worker > host=localhost > interface=em0 > aux_scripts=q1of2 Nice one! In the 2.0-beta you don't even need to define that aux_scripts field either. You should be able to just make files named worker-1.local.bro and worker-2.local.bro in your /share/bro/site/ directory and they will automatically get loaded by the correct nodes. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From jones at tacc.utexas.edu Wed Nov 2 16:21:09 2011 From: jones at tacc.utexas.edu (William Jones) Date: Wed, 2 Nov 2011 23:21:09 +0000 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> <1F51E73B-B36C-476C-93A2-98265A0F6FE7@icir.org> Message-ID: Something changed in the way packet filters work on 2.0 Bata bro. It does not seem to have the old behavior. What I wont is the ability to set a filter per work. That way I could write I could spread the tcp load for ip and iptv6 acros n works and run a n+1 work that take care of the no ip traffic. Bill Jones -----Original Message----- From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of William Jones Sent: Wednesday, November 02, 2011 4:32 PM To: 'Seth Hall' Cc: bro at bro-ids.org Subject: Re: [Bro] Bro performance issues Nice! -----Original Message----- From: Seth Hall [mailto:seth at icir.org] Sent: Wednesday, November 02, 2011 2:58 PM To: William Jones Cc: 'Tomer Teller'; bro at bro-ids.org Subject: Re: [Bro] Bro performance issues On Nov 2, 2011, at 3:41 PM, William Jones wrote: > Try the following pcap filtering trick: > [worker-1] > type=worker > host=localhost > interface=em0 > aux_scripts=q1of2 Nice one! In the 2.0-beta you don't even need to define that aux_scripts field either. You should be able to just make files named worker-1.local.bro and worker-2.local.bro in your /share/bro/site/ directory and they will automatically get loaded by the correct nodes. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From mcholste at gmail.com Wed Nov 2 17:56:16 2011 From: mcholste at gmail.com (Martin Holste) Date: Wed, 2 Nov 2011 19:56:16 -0500 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> <1F51E73B-B36C-476C-93A2-98265A0F6FE7@icir.org> Message-ID: Is there a reason you can't do PF_RING? It's a lot more efficient than BPF load balancing. On Wed, Nov 2, 2011 at 6:21 PM, William Jones wrote: > Something changed in the way packet filters work on 2.0 Bata bro. It does not seem to have the old behavior. > > What I wont is the ability to set a filter per work. ? That way I could write I could spread the tcp load for ip and iptv6 acros n works and run a n+1 work that take care of the no ip traffic. > > > Bill Jones > > -----Original Message----- > From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of William Jones > Sent: Wednesday, November 02, 2011 4:32 PM > To: 'Seth Hall' > Cc: bro at bro-ids.org > Subject: Re: [Bro] Bro performance issues > > Nice! > > -----Original Message----- > From: Seth Hall [mailto:seth at icir.org] > Sent: Wednesday, November 02, 2011 2:58 PM > To: William Jones > Cc: 'Tomer Teller'; bro at bro-ids.org > Subject: Re: [Bro] Bro performance issues > > > On Nov 2, 2011, at 3:41 PM, William Jones wrote: > >> Try the following pcap filtering trick: >> [worker-1] >> type=worker >> host=localhost >> interface=em0 >> aux_scripts=q1of2 > > Nice one! > > In the 2.0-beta you don't even need to define that aux_scripts field either. ?You should be able to just make files named worker-1.local.bro and worker-2.local.bro in your /share/bro/site/ directory and they will automatically get loaded by the correct nodes. > > ?.Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From djteller at gmail.com Thu Nov 3 04:47:00 2011 From: djteller at gmail.com (Tomer Teller) Date: Thu, 3 Nov 2011 13:47:00 +0200 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> Message-ID: Thanks for the tip William, This trick doesn't work on Bro2.0 I tried both aux_scripts and creating the worker-1.local.bro file I installed the new policy stop/start and again the workers are not load-balancing traffic tcpreplay -i ethX --mbps=1000.0 680000_packets.pcap [BroControl] > netstats worker-1: 1320349321.810072 recvd=*639496 *dropped=30101 link=669597 worker-2: 1320349322.010123 recvd=*639549 *dropped=30048 link=669597 This is Out of the box Bro2.0 with PF_RING and libpcap compiles with PF_RING. On Wed, Nov 2, 2011 at 9:41 PM, William Jones wrote: > Try the following pcap filtering trick:**** > > ?**** > > [manager]**** > > type=manager**** > > host=localhost**** > > ** ** > > [proxy-1]**** > > type=proxy**** > > host=localhost**** > > ** ** > > [worker-1]**** > > type=worker**** > > host=localhost**** > > interface=em0**** > > aux_scripts=q1of2**** > > ** ** > > [worker-2]**** > > type=worker**** > > host=localhost**** > > aux_scripts=q2of2**** > > ** ** > > Add the following scripts in share/bro/site**** > > ** ** > > q1of2.bro:**** > > redef restrict_filters += { ["q0"] = "(ip[12:4] + ip[16:4]) & 1 == 0" };** > ** > > ** ** > > q2of2.bro:**** > > ** ** > > redef restrict_filters += { ["q0"] = "(ip[12:4] + ip[16:4]) & 1 == 1" };** > ** > > ** ** > > ** ** > > ** ** > > This will split input between the two bro workers.**** > > ~**** > > ** ** > > ** ** > > ** ** > > ** ** > > *From:* bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] *On > Behalf Of *Tomer Teller > *Sent:* Wednesday, November 02, 2011 10:46 AM > *To:* Seth Hall > *Cc:* bro at bro-ids.org > *Subject:* Re: [Bro] Bro performance issues**** > > ** ** > > This is my node.cfg config file:**** > > ** ** > > [manager]**** > > type=manager**** > > host=localhost**** > > ** ** > > [proxy-1]**** > > type=proxy**** > > host=localhost**** > > ** ** > > [worker-1]**** > > type=worker**** > > host=localhost**** > > interface=em0**** > > ** ** > > [worker-2]**** > > type=worker**** > > host=localhost**** > > interface=em0**** > > ** ** > > I am running on Bro 2.0 Beta.**** > > ** ** > > I am replying a 680000 packets pcap file to the machine.**** > > ** ** > > When running broctl's netstats, this is what i see:**** > > ** ** > > worker-1: 1320276618.514073 recvd=669576 dropped=0 link=669576**** > > worker-2: 1320276618.714115 recvd=669576 dropped=0 link=669576**** > > ** ** > > I expect to see load-balance between worker-1 and worker-2 but they are > getting the same traffic. **** > > ** ** > > I decided to patch Bro in order to "support" that load-balancing.**** > > ** ** > > I edited PktSrc::Process() (PktSrc.cc) and added my own code to > distinguish between processes (i.e. worker-1, worker-2).**** > > ** ** > > Then looked at the data variable, extracted the ip src & dst and checked > for -> (ipSRC ^ ipDST) % 2 == 0**** > > ** ** > > Worker-1 gets all the Even Result, Worker-2 gets all the Odd Results**** > > ** ** > > Also had to play around with (++stats.received) to reflect the new changes. > **** > > ** ** > > This small patch dramatically improved my performance.**** > > ** ** > > ** ** > > ** ** > > On Tue, Nov 1, 2011 at 4:08 PM, Seth Hall wrote:**** > > > On Nov 1, 2011, at 4:26 AM, Tomer Teller wrote: > > > I configured the node.cfg and added: > > 1 manager > > 1 proxy > > 2 workers - sniffing the same interface**** > > Could you send the content of your node.cfg file? I noticed in your > broctl session you sent, there was a reference to worker-3 which isn't > represented in your description. > > Thanks,**** > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/**** > > ** ** > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111103/340385e2/attachment.html From mcholste at gmail.com Thu Nov 3 05:47:21 2011 From: mcholste at gmail.com (Martin Holste) Date: Thu, 3 Nov 2011 07:47:21 -0500 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> Message-ID: What's the output of cat /proc/net/pf_ring/* ? There should be a file per Bro worker in there when Bro is running. On Thu, Nov 3, 2011 at 6:47 AM, Tomer Teller wrote: > Thanks for the tip William, > This trick doesn't work on Bro2.0 > I tried both aux_scripts and?creating the worker-1.local.bro file > I installed the new policy stop/start and again the workers are not > load-balancing traffic > tcpreplay ?-i ethX --mbps=1000.0 680000_packets.pcap > [BroControl] > netstats > ? worker-1: 1320349321.810072 recvd=639496 dropped=30101 link=669597 > ? worker-2: 1320349322.010123 recvd=639549 dropped=30048 link=669597 > This is Out of the box Bro2.0 with PF_RING and libpcap compiles with > PF_RING. > > > On Wed, Nov 2, 2011 at 9:41 PM, William Jones wrote: >> >> Try the following pcap filtering trick: >> >> ? >> >> [manager] >> >> type=manager >> >> host=localhost >> >> >> >> [proxy-1] >> >> type=proxy >> >> host=localhost >> >> >> >> [worker-1] >> >> type=worker >> >> host=localhost >> >> interface=em0 >> >> aux_scripts=q1of2 >> >> >> >> [worker-2] >> >> type=worker >> >> host=localhost >> >> aux_scripts=q2of2 >> >> >> >> Add the following scripts in? share/bro/site >> >> >> >> q1of2.bro: >> >> redef restrict_filters += { ["q0"] = "(ip[12:4] + ip[16:4]) & 1 == 0" }; >> >> >> >> q2of2.bro: >> >> >> >> redef restrict_filters += { ["q0"] = "(ip[12:4] + ip[16:4]) & 1 == 1" }; >> >> >> >> >> >> >> >> This will split input between the two bro workers. >> >> ~ >> >> >> >> >> >> >> >> >> >> From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf >> Of Tomer Teller >> Sent: Wednesday, November 02, 2011 10:46 AM >> To: Seth Hall >> Cc: bro at bro-ids.org >> Subject: Re: [Bro] Bro performance issues >> >> >> >> This is my node.cfg config file: >> >> >> >> [manager] >> >> type=manager >> >> host=localhost >> >> >> >> [proxy-1] >> >> type=proxy >> >> host=localhost >> >> >> >> [worker-1] >> >> type=worker >> >> host=localhost >> >> interface=em0 >> >> >> >> [worker-2] >> >> type=worker >> >> host=localhost >> >> interface=em0 >> >> >> >> I am running on Bro 2.0 Beta. >> >> >> >> I am replying a 680000 packets pcap file to the machine. >> >> >> >> When running broctl's netstats, this is what i see: >> >> >> >> worker-1: 1320276618.514073 recvd=669576 dropped=0 link=669576 >> >> worker-2: 1320276618.714115 recvd=669576 dropped=0 link=669576 >> >> >> >> I expect to see load-balance between worker-1 and worker-2 but they are >> getting the same traffic. >> >> >> >> I decided to patch Bro in order to "support" that load-balancing. >> >> >> >> I edited?PktSrc::Process() (PktSrc.cc) and added my own code to >> distinguish between?processes?(i.e. worker-1, worker-2). >> >> >> >> Then looked at the data variable, extracted the ip src & dst and checked >> for -> ?(ipSRC ^ ipDST) % 2 == 0 >> >> >> >> Worker-1 gets all the Even Result, Worker-2 gets all the Odd Results >> >> >> >> Also had to play around with?(++stats.received) to reflect the new >> changes. >> >> >> >> This small patch dramatically improved my performance. >> >> >> >> >> >> >> >> On Tue, Nov 1, 2011 at 4:08 PM, Seth Hall wrote: >> >> On Nov 1, 2011, at 4:26 AM, Tomer Teller wrote: >> >> > I configured the node.cfg and added: >> > 1 manager >> > 1 proxy >> > 2 workers ?- sniffing the same interface >> >> Could you send the content of your node.cfg file? ?I noticed in your >> broctl session you sent, there was a reference to worker-3 which isn't >> represented in your description. >> >> Thanks, >> >> ?.Seth >> >> -- >> Seth Hall >> International Computer Science Institute >> (Bro) because everyone has a network >> http://www.bro-ids.org/ >> >> > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From djteller at gmail.com Thu Nov 3 08:16:58 2011 From: djteller at gmail.com (Tomer Teller) Date: Thu, 3 Nov 2011 17:16:58 +0200 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> Message-ID: PF_RING Version : 5.0.0 ($Revision: exported$) Ring slots : 4096 Slot version : 13 Capture TX : Yes [RX+TX] IP Defragment : No Socket Mode : Standard Transparent mode : Yes (mode 0) Total rings : 0 Total plugins : 0 [BroControl] > status Name Type Host Status Pid Peers Started manager manager localhost running 13328 3 03 Nov 19:08:41 proxy-1 proxy localhost running 13359 3 03 Nov 19:08:43 worker-1 worker localhost running 13403 2 03 Nov 19:08:45 worker-2 worker localhost running 13402 2 03 Nov 19:08:45 [BroControl] > netstats worker-1: 1320362018.486131 recvd=669511 dropped=286 link=669797 worker-2: 1320362018.686087 recvd=669650 dropped=147 link=669797 On Thu, Nov 3, 2011 at 2:47 PM, Martin Holste wrote: > What's the output of cat /proc/net/pf_ring/* ? There should be a file > per Bro worker in there when Bro is running. > > On Thu, Nov 3, 2011 at 6:47 AM, Tomer Teller wrote: > > Thanks for the tip William, > > This trick doesn't work on Bro2.0 > > I tried both aux_scripts and creating the worker-1.local.bro file > > I installed the new policy stop/start and again the workers are not > > load-balancing traffic > > tcpreplay -i ethX --mbps=1000.0 680000_packets.pcap > > [BroControl] > netstats > > worker-1: 1320349321.810072 recvd=639496 dropped=30101 link=669597 > > worker-2: 1320349322.010123 recvd=639549 dropped=30048 link=669597 > > This is Out of the box Bro2.0 with PF_RING and libpcap compiles with > > PF_RING. > > > > > > On Wed, Nov 2, 2011 at 9:41 PM, William Jones > wrote: > >> > >> Try the following pcap filtering trick: > >> > >> ? > >> > >> [manager] > >> > >> type=manager > >> > >> host=localhost > >> > >> > >> > >> [proxy-1] > >> > >> type=proxy > >> > >> host=localhost > >> > >> > >> > >> [worker-1] > >> > >> type=worker > >> > >> host=localhost > >> > >> interface=em0 > >> > >> aux_scripts=q1of2 > >> > >> > >> > >> [worker-2] > >> > >> type=worker > >> > >> host=localhost > >> > >> aux_scripts=q2of2 > >> > >> > >> > >> Add the following scripts in share/bro/site > >> > >> > >> > >> q1of2.bro: > >> > >> redef restrict_filters += { ["q0"] = "(ip[12:4] + ip[16:4]) & 1 == 0" }; > >> > >> > >> > >> q2of2.bro: > >> > >> > >> > >> redef restrict_filters += { ["q0"] = "(ip[12:4] + ip[16:4]) & 1 == 1" }; > >> > >> > >> > >> > >> > >> > >> > >> This will split input between the two bro workers. > >> > >> ~ > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On > Behalf > >> Of Tomer Teller > >> Sent: Wednesday, November 02, 2011 10:46 AM > >> To: Seth Hall > >> Cc: bro at bro-ids.org > >> Subject: Re: [Bro] Bro performance issues > >> > >> > >> > >> This is my node.cfg config file: > >> > >> > >> > >> [manager] > >> > >> type=manager > >> > >> host=localhost > >> > >> > >> > >> [proxy-1] > >> > >> type=proxy > >> > >> host=localhost > >> > >> > >> > >> [worker-1] > >> > >> type=worker > >> > >> host=localhost > >> > >> interface=em0 > >> > >> > >> > >> [worker-2] > >> > >> type=worker > >> > >> host=localhost > >> > >> interface=em0 > >> > >> > >> > >> I am running on Bro 2.0 Beta. > >> > >> > >> > >> I am replying a 680000 packets pcap file to the machine. > >> > >> > >> > >> When running broctl's netstats, this is what i see: > >> > >> > >> > >> worker-1: 1320276618.514073 recvd=669576 dropped=0 link=669576 > >> > >> worker-2: 1320276618.714115 recvd=669576 dropped=0 link=669576 > >> > >> > >> > >> I expect to see load-balance between worker-1 and worker-2 but they are > >> getting the same traffic. > >> > >> > >> > >> I decided to patch Bro in order to "support" that load-balancing. > >> > >> > >> > >> I edited PktSrc::Process() (PktSrc.cc) and added my own code to > >> distinguish between processes (i.e. worker-1, worker-2). > >> > >> > >> > >> Then looked at the data variable, extracted the ip src & dst and checked > >> for -> (ipSRC ^ ipDST) % 2 == 0 > >> > >> > >> > >> Worker-1 gets all the Even Result, Worker-2 gets all the Odd Results > >> > >> > >> > >> Also had to play around with (++stats.received) to reflect the new > >> changes. > >> > >> > >> > >> This small patch dramatically improved my performance. > >> > >> > >> > >> > >> > >> > >> > >> On Tue, Nov 1, 2011 at 4:08 PM, Seth Hall wrote: > >> > >> On Nov 1, 2011, at 4:26 AM, Tomer Teller wrote: > >> > >> > I configured the node.cfg and added: > >> > 1 manager > >> > 1 proxy > >> > 2 workers - sniffing the same interface > >> > >> Could you send the content of your node.cfg file? I noticed in your > >> broctl session you sent, there was a reference to worker-3 which isn't > >> represented in your description. > >> > >> Thanks, > >> > >> .Seth > >> > >> -- > >> Seth Hall > >> International Computer Science Institute > >> (Bro) because everyone has a network > >> http://www.bro-ids.org/ > >> > >> > > > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111103/20a0e106/attachment.html From mcholste at gmail.com Thu Nov 3 08:29:04 2011 From: mcholste at gmail.com (Martin Holste) Date: Thu, 3 Nov 2011 10:29:04 -0500 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> Message-ID: Ok, that shows that Bro is not in fact using PF_RING, as there are no entries for the pids. On Thu, Nov 3, 2011 at 10:16 AM, Tomer Teller wrote: > PF_RING Version ? ? : 5.0.0 ($Revision: exported$) > Ring slots ? ? ? ? ?: 4096 > Slot version ? ? ? ?: 13 > Capture TX ? ? ? ? ?: Yes [RX+TX] > IP Defragment ? ? ? : No > Socket Mode ? ? ? ? : Standard > Transparent mode ? ?: Yes (mode 0) > Total rings ? ? ? ? : 0 > Total plugins ? ? ? : 0 > [BroControl] > status > Name ? ? ? Type ? ? ? Host ? ? ? Status ? ? ? ?Pid ? ?Peers ?Started > manager ? ?manager ? ?localhost ?running ? ? ? 13328 ?3 ? ? ?03 Nov 19:08:41 > proxy-1 ? ?proxy ? ? ?localhost ?running ? ? ? 13359 ?3 ? ? ?03 Nov 19:08:43 > worker-1 ? worker ? ? localhost ?running ? ? ? 13403 ?2 ? ? ?03 Nov 19:08:45 > worker-2 ? worker ? ? localhost ?running ? ? ? 13402 ?2 ? ? ?03 Nov 19:08:45 > > [BroControl] > netstats > ? worker-1: 1320362018.486131 recvd=669511 dropped=286 link=669797 > ? worker-2: 1320362018.686087 recvd=669650 dropped=147 link=669797 > > > > On Thu, Nov 3, 2011 at 2:47 PM, Martin Holste wrote: >> >> What's the output of cat /proc/net/pf_ring/* ? ?There should be a file >> per Bro worker in there when Bro is running. >> >> On Thu, Nov 3, 2011 at 6:47 AM, Tomer Teller wrote: >> > Thanks for the tip William, >> > This trick doesn't work on Bro2.0 >> > I tried both aux_scripts and?creating the worker-1.local.bro file >> > I installed the new policy stop/start and again the workers are not >> > load-balancing traffic >> > tcpreplay ?-i ethX --mbps=1000.0 680000_packets.pcap >> > [BroControl] > netstats >> > ? worker-1: 1320349321.810072 recvd=639496 dropped=30101 link=669597 >> > ? worker-2: 1320349322.010123 recvd=639549 dropped=30048 link=669597 >> > This is Out of the box Bro2.0 with PF_RING and libpcap compiles with >> > PF_RING. >> > >> > >> > On Wed, Nov 2, 2011 at 9:41 PM, William Jones >> > wrote: >> >> >> >> Try the following pcap filtering trick: >> >> >> >> ? >> >> >> >> [manager] >> >> >> >> type=manager >> >> >> >> host=localhost >> >> >> >> >> >> >> >> [proxy-1] >> >> >> >> type=proxy >> >> >> >> host=localhost >> >> >> >> >> >> >> >> [worker-1] >> >> >> >> type=worker >> >> >> >> host=localhost >> >> >> >> interface=em0 >> >> >> >> aux_scripts=q1of2 >> >> >> >> >> >> >> >> [worker-2] >> >> >> >> type=worker >> >> >> >> host=localhost >> >> >> >> aux_scripts=q2of2 >> >> >> >> >> >> >> >> Add the following scripts in? share/bro/site >> >> >> >> >> >> >> >> q1of2.bro: >> >> >> >> redef restrict_filters += { ["q0"] = "(ip[12:4] + ip[16:4]) & 1 == 0" >> >> }; >> >> >> >> >> >> >> >> q2of2.bro: >> >> >> >> >> >> >> >> redef restrict_filters += { ["q0"] = "(ip[12:4] + ip[16:4]) & 1 == 1" >> >> }; >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> This will split input between the two bro workers. >> >> >> >> ~ >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On >> >> Behalf >> >> Of Tomer Teller >> >> Sent: Wednesday, November 02, 2011 10:46 AM >> >> To: Seth Hall >> >> Cc: bro at bro-ids.org >> >> Subject: Re: [Bro] Bro performance issues >> >> >> >> >> >> >> >> This is my node.cfg config file: >> >> >> >> >> >> >> >> [manager] >> >> >> >> type=manager >> >> >> >> host=localhost >> >> >> >> >> >> >> >> [proxy-1] >> >> >> >> type=proxy >> >> >> >> host=localhost >> >> >> >> >> >> >> >> [worker-1] >> >> >> >> type=worker >> >> >> >> host=localhost >> >> >> >> interface=em0 >> >> >> >> >> >> >> >> [worker-2] >> >> >> >> type=worker >> >> >> >> host=localhost >> >> >> >> interface=em0 >> >> >> >> >> >> >> >> I am running on Bro 2.0 Beta. >> >> >> >> >> >> >> >> I am replying a 680000 packets pcap file to the machine. >> >> >> >> >> >> >> >> When running broctl's netstats, this is what i see: >> >> >> >> >> >> >> >> worker-1: 1320276618.514073 recvd=669576 dropped=0 link=669576 >> >> >> >> worker-2: 1320276618.714115 recvd=669576 dropped=0 link=669576 >> >> >> >> >> >> >> >> I expect to see load-balance between worker-1 and worker-2 but they are >> >> getting the same traffic. >> >> >> >> >> >> >> >> I decided to patch Bro in order to "support" that load-balancing. >> >> >> >> >> >> >> >> I edited?PktSrc::Process() (PktSrc.cc) and added my own code to >> >> distinguish between?processes?(i.e. worker-1, worker-2). >> >> >> >> >> >> >> >> Then looked at the data variable, extracted the ip src & dst and >> >> checked >> >> for -> ?(ipSRC ^ ipDST) % 2 == 0 >> >> >> >> >> >> >> >> Worker-1 gets all the Even Result, Worker-2 gets all the Odd Results >> >> >> >> >> >> >> >> Also had to play around with?(++stats.received) to reflect the new >> >> changes. >> >> >> >> >> >> >> >> This small patch dramatically improved my performance. >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> On Tue, Nov 1, 2011 at 4:08 PM, Seth Hall wrote: >> >> >> >> On Nov 1, 2011, at 4:26 AM, Tomer Teller wrote: >> >> >> >> > I configured the node.cfg and added: >> >> > 1 manager >> >> > 1 proxy >> >> > 2 workers ?- sniffing the same interface >> >> >> >> Could you send the content of your node.cfg file? ?I noticed in your >> >> broctl session you sent, there was a reference to worker-3 which isn't >> >> represented in your description. >> >> >> >> Thanks, >> >> >> >> ?.Seth >> >> >> >> -- >> >> Seth Hall >> >> International Computer Science Institute >> >> (Bro) because everyone has a network >> >> http://www.bro-ids.org/ >> >> >> >> >> > >> > _______________________________________________ >> > Bro mailing list >> > bro at bro-ids.org >> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> > > > From robin at icir.org Thu Nov 3 10:18:41 2011 From: robin at icir.org (Robin Sommer) Date: Thu, 3 Nov 2011 10:18:41 -0700 Subject: [Bro] help In-Reply-To: <4EB0F68C.7040007@mail.ru> References: <4EB0F68C.7040007@mail.ru> Message-ID: <20111103171841.GN42624@icir.org> On Wed, Nov 02, 2011 at 11:51 +0400, you wrote: > Why do you use freebsd instead linux? > I think freebsd has some more higher priority for bro by default. Historically, many Bro sites have been running FreeBSD for one reason or another. At some point, capture performance was much better on FreeBSD, though today the picture is less clear (and Linux has some features now that BSD doesn't). Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From jones at tacc.utexas.edu Thu Nov 3 12:17:18 2011 From: jones at tacc.utexas.edu (William Jones) Date: Thu, 3 Nov 2011 19:17:18 +0000 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> <1F51E73B-B36C-476C-93A2-98265A0F6FE7@icir.org> Message-ID: Is PF_RING part of bro? -----Original Message----- From: Martin Holste [mailto:mcholste at gmail.com] Sent: Wednesday, November 02, 2011 7:56 PM To: William Jones Cc: Seth Hall; bro at bro-ids.org Subject: Re: [Bro] Bro performance issues Is there a reason you can't do PF_RING? It's a lot more efficient than BPF load balancing. On Wed, Nov 2, 2011 at 6:21 PM, William Jones wrote: > Something changed in the way packet filters work on 2.0 Bata bro. It does not seem to have the old behavior. > > What I wont is the ability to set a filter per work. ? That way I could write I could spread the tcp load for ip and iptv6 acros n works and run a n+1 work that take care of the no ip traffic. > > > Bill Jones > > -----Original Message----- > From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of William Jones > Sent: Wednesday, November 02, 2011 4:32 PM > To: 'Seth Hall' > Cc: bro at bro-ids.org > Subject: Re: [Bro] Bro performance issues > > Nice! > > -----Original Message----- > From: Seth Hall [mailto:seth at icir.org] > Sent: Wednesday, November 02, 2011 2:58 PM > To: William Jones > Cc: 'Tomer Teller'; bro at bro-ids.org > Subject: Re: [Bro] Bro performance issues > > > On Nov 2, 2011, at 3:41 PM, William Jones wrote: > >> Try the following pcap filtering trick: >> [worker-1] >> type=worker >> host=localhost >> interface=em0 >> aux_scripts=q1of2 > > Nice one! > > In the 2.0-beta you don't even need to define that aux_scripts field either. ?You should be able to just make files named worker-1.local.bro and worker-2.local.bro in your /share/bro/site/ directory and they will automatically get loaded by the correct nodes. > > ?.Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From jones at tacc.utexas.edu Thu Nov 3 12:22:15 2011 From: jones at tacc.utexas.edu (William Jones) Date: Thu, 3 Nov 2011 19:22:15 +0000 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> Message-ID: By studding the pcap filter code I found a work around. I set the "cmd_linebpdf_filter:" to my packfilter definition. It would be nice to have a more formal way to do this. From: Tomer Teller [mailto:djteller at gmail.com] Sent: Thursday, November 03, 2011 6:47 AM To: William Jones Cc: Seth Hall; bro at bro-ids.org Subject: Re: [Bro] Bro performance issues Thanks for the tip William, This trick doesn't work on Bro2.0 I tried both aux_scripts and creating the worker-1.local.bro file I installed the new policy stop/start and again the workers are not load-balancing traffic tcpreplay -i ethX --mbps=1000.0 680000_packets.pcap [BroControl] > netstats worker-1: 1320349321.810072 recvd=639496 dropped=30101 link=669597 worker-2: 1320349322.010123 recvd=639549 dropped=30048 link=669597 This is Out of the box Bro2.0 with PF_RING and libpcap compiles with PF_RING. On Wed, Nov 2, 2011 at 9:41 PM, William Jones > wrote: Try the following pcap filtering trick: ' [manager] type=manager host=localhost [proxy-1] type=proxy host=localhost [worker-1] type=worker host=localhost interface=em0 aux_scripts=q1of2 [worker-2] type=worker host=localhost aux_scripts=q2of2 Add the following scripts in share/bro/site q1of2.bro: redef restrict_filters += { ["q0"] = "(ip[12:4] + ip[16:4]) & 1 == 0" }; q2of2.bro: redef restrict_filters += { ["q0"] = "(ip[12:4] + ip[16:4]) & 1 == 1" }; This will split input between the two bro workers. ~ From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Tomer Teller Sent: Wednesday, November 02, 2011 10:46 AM To: Seth Hall Cc: bro at bro-ids.org Subject: Re: [Bro] Bro performance issues This is my node.cfg config file: [manager] type=manager host=localhost [proxy-1] type=proxy host=localhost [worker-1] type=worker host=localhost interface=em0 [worker-2] type=worker host=localhost interface=em0 I am running on Bro 2.0 Beta. I am replying a 680000 packets pcap file to the machine. When running broctl's netstats, this is what i see: worker-1: 1320276618.514073 recvd=669576 dropped=0 link=669576 worker-2: 1320276618.714115 recvd=669576 dropped=0 link=669576 I expect to see load-balance between worker-1 and worker-2 but they are getting the same traffic. I decided to patch Bro in order to "support" that load-balancing. I edited PktSrc::Process() (PktSrc.cc) and added my own code to distinguish between processes (i.e. worker-1, worker-2). Then looked at the data variable, extracted the ip src & dst and checked for -> (ipSRC ^ ipDST) % 2 == 0 Worker-1 gets all the Even Result, Worker-2 gets all the Odd Results Also had to play around with (++stats.received) to reflect the new changes. This small patch dramatically improved my performance. On Tue, Nov 1, 2011 at 4:08 PM, Seth Hall > wrote: On Nov 1, 2011, at 4:26 AM, Tomer Teller wrote: > I configured the node.cfg and added: > 1 manager > 1 proxy > 2 workers - sniffing the same interface Could you send the content of your node.cfg file? I noticed in your broctl session you sent, there was a reference to worker-3 which isn't represented in your description. Thanks, .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111103/7b824ab1/attachment.html From jones at tacc.utexas.edu Thu Nov 3 12:40:06 2011 From: jones at tacc.utexas.edu (William Jones) Date: Thu, 3 Nov 2011 19:40:06 +0000 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> Message-ID: Don't you need more foo to get PF_RING to load balance it looks like you have to bind a bro instances to a cpu? From: Tomer Teller [mailto:djteller at gmail.com] Sent: Thursday, November 03, 2011 10:17 AM To: Martin Holste Cc: William Jones; bro at bro-ids.org Subject: Re: [Bro] Bro performance issues PF_RING Version : 5.0.0 ($Revision: exported$) Ring slots : 4096 Slot version : 13 Capture TX : Yes [RX+TX] IP Defragment : No Socket Mode : Standard Transparent mode : Yes (mode 0) Total rings : 0 Total plugins : 0 [BroControl] > status Name Type Host Status Pid Peers Started manager manager localhost running 13328 3 03 Nov 19:08:41 proxy-1 proxy localhost running 13359 3 03 Nov 19:08:43 worker-1 worker localhost running 13403 2 03 Nov 19:08:45 worker-2 worker localhost running 13402 2 03 Nov 19:08:45 [BroControl] > netstats worker-1: 1320362018.486131 recvd=669511 dropped=286 link=669797 worker-2: 1320362018.686087 recvd=669650 dropped=147 link=669797 On Thu, Nov 3, 2011 at 2:47 PM, Martin Holste > wrote: What's the output of cat /proc/net/pf_ring/* ? There should be a file per Bro worker in there when Bro is running. On Thu, Nov 3, 2011 at 6:47 AM, Tomer Teller > wrote: > Thanks for the tip William, > This trick doesn't work on Bro2.0 > I tried both aux_scripts and creating the worker-1.local.bro file > I installed the new policy stop/start and again the workers are not > load-balancing traffic > tcpreplay -i ethX --mbps=1000.0 680000_packets.pcap > [BroControl] > netstats > worker-1: 1320349321.810072 recvd=639496 dropped=30101 link=669597 > worker-2: 1320349322.010123 recvd=639549 dropped=30048 link=669597 > This is Out of the box Bro2.0 with PF_RING and libpcap compiles with > PF_RING. > > > On Wed, Nov 2, 2011 at 9:41 PM, William Jones > wrote: >> >> Try the following pcap filtering trick: >> >> ' >> >> [manager] >> >> type=manager >> >> host=localhost >> >> >> >> [proxy-1] >> >> type=proxy >> >> host=localhost >> >> >> >> [worker-1] >> >> type=worker >> >> host=localhost >> >> interface=em0 >> >> aux_scripts=q1of2 >> >> >> >> [worker-2] >> >> type=worker >> >> host=localhost >> >> aux_scripts=q2of2 >> >> >> >> Add the following scripts in share/bro/site >> >> >> >> q1of2.bro: >> >> redef restrict_filters += { ["q0"] = "(ip[12:4] + ip[16:4]) & 1 == 0" }; >> >> >> >> q2of2.bro: >> >> >> >> redef restrict_filters += { ["q0"] = "(ip[12:4] + ip[16:4]) & 1 == 1" }; >> >> >> >> >> >> >> >> This will split input between the two bro workers. >> >> ~ >> >> >> >> >> >> >> >> >> >> From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf >> Of Tomer Teller >> Sent: Wednesday, November 02, 2011 10:46 AM >> To: Seth Hall >> Cc: bro at bro-ids.org >> Subject: Re: [Bro] Bro performance issues >> >> >> >> This is my node.cfg config file: >> >> >> >> [manager] >> >> type=manager >> >> host=localhost >> >> >> >> [proxy-1] >> >> type=proxy >> >> host=localhost >> >> >> >> [worker-1] >> >> type=worker >> >> host=localhost >> >> interface=em0 >> >> >> >> [worker-2] >> >> type=worker >> >> host=localhost >> >> interface=em0 >> >> >> >> I am running on Bro 2.0 Beta. >> >> >> >> I am replying a 680000 packets pcap file to the machine. >> >> >> >> When running broctl's netstats, this is what i see: >> >> >> >> worker-1: 1320276618.514073 recvd=669576 dropped=0 link=669576 >> >> worker-2: 1320276618.714115 recvd=669576 dropped=0 link=669576 >> >> >> >> I expect to see load-balance between worker-1 and worker-2 but they are >> getting the same traffic. >> >> >> >> I decided to patch Bro in order to "support" that load-balancing. >> >> >> >> I edited PktSrc::Process() (PktSrc.cc) and added my own code to >> distinguish between processes (i.e. worker-1, worker-2). >> >> >> >> Then looked at the data variable, extracted the ip src & dst and checked >> for -> (ipSRC ^ ipDST) % 2 == 0 >> >> >> >> Worker-1 gets all the Even Result, Worker-2 gets all the Odd Results >> >> >> >> Also had to play around with (++stats.received) to reflect the new >> changes. >> >> >> >> This small patch dramatically improved my performance. >> >> >> >> >> >> >> >> On Tue, Nov 1, 2011 at 4:08 PM, Seth Hall > wrote: >> >> On Nov 1, 2011, at 4:26 AM, Tomer Teller wrote: >> >> > I configured the node.cfg and added: >> > 1 manager >> > 1 proxy >> > 2 workers - sniffing the same interface >> >> Could you send the content of your node.cfg file? I noticed in your >> broctl session you sent, there was a reference to worker-3 which isn't >> represented in your description. >> >> Thanks, >> >> .Seth >> >> -- >> Seth Hall >> International Computer Science Institute >> (Bro) because everyone has a network >> http://www.bro-ids.org/ >> >> > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111103/04a74ec7/attachment.html From seth at icir.org Thu Nov 3 12:48:38 2011 From: seth at icir.org (Seth Hall) Date: Thu, 3 Nov 2011 15:48:38 -0400 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> Message-ID: On Nov 3, 2011, at 3:40 PM, William Jones wrote: > Don?t you need more foo to get PF_RING to load balance it looks like you have to bind a bro instances to a cpu? Nope, and if you build Bro against the PF_RING libpcap wrapper BroControl automatically takes care of everything to begin load balancing. I'm still waiting to hear back from Tomer with the output from the commands I asked him for earlier to actually figure out what's going wrong for him. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From jones at tacc.utexas.edu Thu Nov 3 13:27:02 2011 From: jones at tacc.utexas.edu (William Jones) Date: Thu, 3 Nov 2011 20:27:02 +0000 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> Message-ID: Thank! I will give it a try! -----Original Message----- From: Seth Hall [mailto:seth at icir.org] Sent: Thursday, November 03, 2011 2:49 PM To: William Jones Cc: 'Tomer Teller'; Martin Holste; bro at bro-ids.org Subject: Re: [Bro] Bro performance issues On Nov 3, 2011, at 3:40 PM, William Jones wrote: > Don't you need more foo to get PF_RING to load balance it looks like you have to bind a bro instances to a cpu? Nope, and if you build Bro against the PF_RING libpcap wrapper BroControl automatically takes care of everything to begin load balancing. I'm still waiting to hear back from Tomer with the output from the commands I asked him for earlier to actually figure out what's going wrong for him. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From jones at tacc.utexas.edu Thu Nov 3 14:30:07 2011 From: jones at tacc.utexas.edu (William Jones) Date: Thu, 3 Nov 2011 21:30:07 +0000 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> Message-ID: I do bro mentoring with a tap. That means that each bro instances needs to read from two Ethernet interface to see tranmit and receive side the same tcp connection. The pcap filters insure that this happens. What happens when I use the PF_RING pcap interface with bro. Will each bro worker see the same connection pair? -----Original Message----- From: Seth Hall [mailto:seth at icir.org] Sent: Thursday, November 03, 2011 2:49 PM To: William Jones Cc: 'Tomer Teller'; Martin Holste; bro at bro-ids.org Subject: Re: [Bro] Bro performance issues On Nov 3, 2011, at 3:40 PM, William Jones wrote: > Don't you need more foo to get PF_RING to load balance it looks like you have to bind a bro instances to a cpu? Nope, and if you build Bro against the PF_RING libpcap wrapper BroControl automatically takes care of everything to begin load balancing. I'm still waiting to hear back from Tomer with the output from the commands I asked him for earlier to actually figure out what's going wrong for him. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From mcholste at gmail.com Thu Nov 3 15:10:54 2011 From: mcholste at gmail.com (Martin Holste) Date: Thu, 3 Nov 2011 17:10:54 -0500 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> Message-ID: Actually, I recommend setting up a bonded interface, which recent PF_RING's will happily monitor. On Thu, Nov 3, 2011 at 4:30 PM, William Jones wrote: > I do bro mentoring with a tap. ? That means that each bro instances needs to read from two Ethernet interface to see tranmit and receive side the same tcp connection. ? The pcap filters insure that this happens. ? What happens when I use the PF_RING pcap interface with bro. ?Will each bro worker see the same connection pair? > > -----Original Message----- > From: Seth Hall [mailto:seth at icir.org] > Sent: Thursday, November 03, 2011 2:49 PM > To: William Jones > Cc: 'Tomer Teller'; Martin Holste; bro at bro-ids.org > Subject: Re: [Bro] Bro performance issues > > > On Nov 3, 2011, at 3:40 PM, William Jones wrote: > >> Don't you need more foo to get PF_RING to load balance ?it looks like you have to bind a bro instances to a cpu? > > Nope, and if you build Bro against the PF_RING libpcap wrapper BroControl automatically takes care of everything to begin load balancing. ?I'm still waiting to hear back from Tomer with the output from the commands I asked him for earlier to actually figure out what's going wrong for him. > > ?.Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > From seth at icir.org Fri Nov 4 05:27:31 2011 From: seth at icir.org (Seth Hall) Date: Fri, 4 Nov 2011 08:27:31 -0400 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> Message-ID: <5740A071-7773-4AEB-A572-E1B41588137B@icir.org> On Nov 3, 2011, at 6:10 PM, Martin Holste wrote: > Actually, I recommend setting up a bonded interface, which recent > PF_RING's will happily monitor. Ah, nice! Thanks for pointing that out. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From jones at tacc.utexas.edu Fri Nov 4 14:09:12 2011 From: jones at tacc.utexas.edu (William Jones) Date: Fri, 4 Nov 2011 21:09:12 +0000 Subject: [Bro] Bro performance issues In-Reply-To: <5740A071-7773-4AEB-A572-E1B41588137B@icir.org> References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> <5740A071-7773-4AEB-A572-E1B41588137B@icir.org> Message-ID: Just install bro with PF_RING without my filter to see what happens with load pf_ring load balancing. As I though the load balancing does a good jobs of distributing the load across my 8 bro workes. The down side is that bro is not working correctly sense each bro work only see part of the tcp connections for example the wired log: 1320440533.316479 B1zdmt0vxHf 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-2 1320440533.316479 F1NuRpLxmri 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-4 1320440533.316479 GBvErIhMFH3 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-1 1320440533.316479 Jgz4LByaW62 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-8 1320440533.316479 JgQfacLEqNf 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-5 1320440533.316479 a5JEFET8tid 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-6 1320440533.316479 Olp5WQZeFsk 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-7 There are a lot of other functions that don't seem to work. I am putting the filter back but I will continue to run pf_ring with load blancing turned off and see what happens. -----Original Message----- From: Seth Hall [mailto:seth at icir.org] Sent: Friday, November 04, 2011 7:28 AM To: Martin Holste Cc: William Jones; Tomer Teller; bro at bro-ids.org Subject: Re: [Bro] Bro performance issues On Nov 3, 2011, at 6:10 PM, Martin Holste wrote: > Actually, I recommend setting up a bonded interface, which recent > PF_RING's will happily monitor. Ah, nice! Thanks for pointing that out. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From jones at tacc.utexas.edu Fri Nov 4 17:34:02 2011 From: jones at tacc.utexas.edu (William Jones) Date: Sat, 5 Nov 2011 00:34:02 +0000 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> <5740A071-7773-4AEB-A572-E1B41588137B@icir.org> Message-ID: I backed down from the PF_RING pcap library. I couldn't find a way to run off the load balancing. -----Original Message----- From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of William Jones Sent: Friday, November 04, 2011 4:09 PM To: 'Seth Hall'; Martin Holste Cc: bro at bro-ids.org Subject: Re: [Bro] Bro performance issues Just install bro with PF_RING without my filter to see what happens with load pf_ring load balancing. As I though the load balancing does a good jobs of distributing the load across my 8 bro workes. The down side is that bro is not working correctly sense each bro work only see part of the tcp connections for example the wired log: 1320440533.316479 B1zdmt0vxHf 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-2 1320440533.316479 F1NuRpLxmri 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-4 1320440533.316479 GBvErIhMFH3 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-1 1320440533.316479 Jgz4LByaW62 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-8 1320440533.316479 JgQfacLEqNf 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-5 1320440533.316479 a5JEFET8tid 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-6 1320440533.316479 Olp5WQZeFsk 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-7 There are a lot of other functions that don't seem to work. I am putting the filter back but I will continue to run pf_ring with load blancing turned off and see what happens. -----Original Message----- From: Seth Hall [mailto:seth at icir.org] Sent: Friday, November 04, 2011 7:28 AM To: Martin Holste Cc: William Jones; Tomer Teller; bro at bro-ids.org Subject: Re: [Bro] Bro performance issues On Nov 3, 2011, at 6:10 PM, Martin Holste wrote: > Actually, I recommend setting up a bonded interface, which recent > PF_RING's will happily monitor. Ah, nice! Thanks for pointing that out. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From seth at icir.org Fri Nov 4 18:23:04 2011 From: seth at icir.org (Seth Hall) Date: Fri, 4 Nov 2011 21:23:04 -0400 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> <5740A071-7773-4AEB-A572-E1B41588137B@icir.org> Message-ID: <9465ED25-2CFF-4207-A410-72DA0575B1C8@icir.org> On Nov 4, 2011, at 5:09 PM, William Jones wrote: > 1320440533.316479 JgQfacLEqNf 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-5 > 1320440533.316479 a5JEFET8tid 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-6 > 1320440533.316479 Olp5WQZeFsk 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-7 Hm, I'm not totally convinced that you have pf_ring fully working yet. My guess is that each of those workers saw the same packet. Connection unique IDs will be generated differently on different hosts so you can't expect those to be the same and everything else, including the timestamp is exactly the same. Can you send the output of: broctl config | grep -i pfring and: ldd /bin/bro If there is a problem with pf_ring not being enabled correctly on some machines, we'd certainly like to figure it out. Thanks! .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From jones at tacc.utexas.edu Fri Nov 4 18:57:10 2011 From: jones at tacc.utexas.edu (William Jones) Date: Sat, 5 Nov 2011 01:57:10 +0000 Subject: [Bro] Bro performance issues In-Reply-To: <9465ED25-2CFF-4207-A410-72DA0575B1C8@icir.org> References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> <5740A071-7773-4AEB-A572-E1B41588137B@icir.org> <9465ED25-2CFF-4207-A410-72DA0575B1C8@icir.org> Message-ID: What nic are people using to test PF_RING on bro? The one I using is a Broadcom Corporation NetXtreme II BCM57711 10-Gigabit PCIe. -----Original Message----- From: Seth Hall [mailto:seth at icir.org] Sent: Friday, November 04, 2011 8:23 PM To: William Jones Cc: Martin Holste; Tomer Teller; bro at bro-ids.org Subject: Re: [Bro] Bro performance issues On Nov 4, 2011, at 5:09 PM, William Jones wrote: > 1320440533.316479 JgQfacLEqNf 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-5 > 1320440533.316479 a5JEFET8tid 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-6 > 1320440533.316479 Olp5WQZeFsk 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-7 Hm, I'm not totally convinced that you have pf_ring fully working yet. My guess is that each of those workers saw the same packet. Connection unique IDs will be generated differently on different hosts so you can't expect those to be the same and everything else, including the timestamp is exactly the same. Can you send the output of: broctl config | grep -i pfring and: ldd /bin/bro If there is a problem with pf_ring not being enabled correctly on some machines, we'd certainly like to figure it out. Thanks! .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From seth at icir.org Fri Nov 4 19:25:53 2011 From: seth at icir.org (Seth Hall) Date: Fri, 4 Nov 2011 22:25:53 -0400 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> <5740A071-7773-4AEB-A572-E1B41588137B@icir.org> <9465ED25-2CFF-4207-A410-72DA0575B1C8@icir.org> Message-ID: <07BB9294-94B1-4268-9F05-4B8157423587@icir.org> On Nov 4, 2011, at 9:57 PM, William Jones wrote: > What nic are people using to test PF_RING on bro? The one I using is a Broadcom Corporation NetXtreme II BCM57711 10-Gigabit PCIe. The NIC shouldn't matter, the load balancing is all done in the kernel. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From jones at tacc.utexas.edu Fri Nov 4 22:35:34 2011 From: jones at tacc.utexas.edu (William Jones) Date: Sat, 5 Nov 2011 05:35:34 +0000 Subject: [Bro] Bro performance issues In-Reply-To: <9465ED25-2CFF-4207-A410-72DA0575B1C8@icir.org> References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> <5740A071-7773-4AEB-A572-E1B41588137B@icir.org> <9465ED25-2CFF-4207-A410-72DA0575B1C8@icir.org> Message-ID: Found the problem. getenv is not work on linux, sigh. Bill Jones -----Original Message----- From: Seth Hall [mailto:seth at icir.org] Sent: Friday, November 04, 2011 8:23 PM To: William Jones Cc: Martin Holste; Tomer Teller; bro at bro-ids.org Subject: Re: [Bro] Bro performance issues On Nov 4, 2011, at 5:09 PM, William Jones wrote: > 1320440533.316479 JgQfacLEqNf 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-5 > 1320440533.316479 a5JEFET8tid 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-6 > 1320440533.316479 Olp5WQZeFsk 129.114.13.51 54999 8.20.213.28 80 above_hole_data_without_any_acks - F worker-7 Hm, I'm not totally convinced that you have pf_ring fully working yet. My guess is that each of those workers saw the same packet. Connection unique IDs will be generated differently on different hosts so you can't expect those to be the same and everything else, including the timestamp is exactly the same. Can you send the output of: broctl config | grep -i pfring and: ldd /bin/bro If there is a problem with pf_ring not being enabled correctly on some machines, we'd certainly like to figure it out. Thanks! .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From seth at icir.org Fri Nov 4 22:57:18 2011 From: seth at icir.org (Seth Hall) Date: Sat, 5 Nov 2011 01:57:18 -0400 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> <5740A071-7773-4AEB-A572-E1B41588137B@icir.org> <9465ED25-2CFF-4207-A410-72DA0575B1C8@icir.org> Message-ID: <395067EF-5A5C-4609-923B-8C46ED2A737D@icir.org> On Nov 5, 2011, at 1:35 AM, William Jones wrote: > Found the problem. getenv is not work on linux, sigh. Oh, what distribution is this? I guess this is totally breaking the clustering support in pf_ring's libpcap wrapper. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From jones at tacc.utexas.edu Sat Nov 5 00:04:26 2011 From: jones at tacc.utexas.edu (William Jones) Date: Sat, 5 Nov 2011 07:04:26 +0000 Subject: [Bro] Bro performance issues In-Reply-To: <395067EF-5A5C-4609-923B-8C46ED2A737D@icir.org> References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> <5740A071-7773-4AEB-A572-E1B41588137B@icir.org> <9465ED25-2CFF-4207-A410-72DA0575B1C8@icir.org> <395067EF-5A5C-4609-923B-8C46ED2A737D@icir.org> Message-ID: Its Redhat 5.7. Now I know that there is a problem with getenv I should be able to track the problem down the exact nature of the problem down. -----Original Message----- From: Seth Hall [mailto:seth at icir.org] Sent: Saturday, November 05, 2011 12:57 AM To: William Jones Cc: Martin Holste; Tomer Teller; bro at bro-ids.org Subject: Re: [Bro] Bro performance issues On Nov 5, 2011, at 1:35 AM, William Jones wrote: > Found the problem. getenv is not work on linux, sigh. Oh, what distribution is this? I guess this is totally breaking the clustering support in pf_ring's libpcap wrapper. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From jones at tacc.utexas.edu Sat Nov 5 14:21:33 2011 From: jones at tacc.utexas.edu (William Jones) Date: Sat, 5 Nov 2011 21:21:33 +0000 Subject: [Bro] Bro performance issues In-Reply-To: <395067EF-5A5C-4609-923B-8C46ED2A737D@icir.org> References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> <5740A071-7773-4AEB-A572-E1B41588137B@icir.org> <9465ED25-2CFF-4207-A410-72DA0575B1C8@icir.org> <395067EF-5A5C-4609-923B-8C46ED2A737D@icir.org> Message-ID: Attached is a patch to fix the getenv problem. The were tow PCAP env variables that need a shell export statement. This will make PF_RING work so long as all the data is going into one interface or bonded interface. Bill Jones -----Original Message----- From: Seth Hall [mailto:seth at icir.org] Sent: Saturday, November 05, 2011 12:57 AM To: William Jones Cc: Martin Holste; Tomer Teller; bro at bro-ids.org Subject: Re: [Bro] Bro performance issues On Nov 5, 2011, at 1:35 AM, William Jones wrote: > Found the problem. getenv is not work on linux, sigh. Oh, what distribution is this? I guess this is totally breaking the clustering support in pf_ring's libpcap wrapper. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: run-bro-export-patch Type: application/octet-stream Size: 371 bytes Desc: run-bro-export-patch Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111105/e6bd092f/attachment.obj From seth at icir.org Sat Nov 5 18:49:22 2011 From: seth at icir.org (Seth Hall) Date: Sat, 5 Nov 2011 21:49:22 -0400 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> <5740A071-7773-4AEB-A572-E1B41588137B@icir.org> <9465ED25-2CFF-4207-A410-72DA0575B1C8@icir.org> <395067EF-5A5C-4609-923B-8C46ED2A737D@icir.org> Message-ID: <586545D8-F1F0-4839-8E0F-9EA61499A25B@icir.org> On Nov 5, 2011, at 5:21 PM, William Jones wrote: > Attached is a patch to fix the getenv problem. The were tow PCAP env variables that need a shell export statement. > > This will make PF_RING work so long as all the data is going into one interface or bonded interface. What shell are you using? There is something messed up because those environment variables are already set and I think don't think you should need those lines in run-bro. I haven't seen anyone else that has needed those lines at least. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From djteller at gmail.com Sun Nov 6 01:02:23 2011 From: djteller at gmail.com (Tomer Teller) Date: Sun, 6 Nov 2011 11:02:23 +0200 Subject: [Bro] Bro performance issues In-Reply-To: <586545D8-F1F0-4839-8E0F-9EA61499A25B@icir.org> References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> <5740A071-7773-4AEB-A572-E1B41588137B@icir.org> <9465ED25-2CFF-4207-A410-72DA0575B1C8@icir.org> <395067EF-5A5C-4609-923B-8C46ED2A737D@icir.org> <586545D8-F1F0-4839-8E0F-9EA61499A25B@icir.org> Message-ID: Seth, here is my configuration: Bro 2.0beta Running on Debian GNU/Linux 6.0 broctl config | grep pfring > pfringclusterid = 21 ldd bro > linux-vdso.so.1 => (0x00007fff41be1000) > libpcap.so.1 => /usr/local/pfring/lib/libpcap.so.1 (0x00007f3a74c0c000) > libpthread.so.0 => /lib/libpthread.so.0 (0x00007f3a749f0000) > libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0x00007f3a7479a000) > libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0x00007f3a743f9000) > libmagic.so.1 => /usr/lib/libmagic.so.1 (0x00007f3a741db000) > libz.so.1 => /usr/lib/libz.so.1 (0x00007f3a73fc3000) > libGeoIP.so.1 => /usr/lib/libGeoIP.so.1 (0x00007f3a73d8c000) > libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007f3a73a78000) > libm.so.6 => /lib/libm.so.6 (0x00007f3a737f5000) > libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00007f3a735df000) > libc.so.6 => /lib/libc.so.6 (0x00007f3a7327e000) > /lib64/ld-linux-x86-64.so.2 (0x00007f3a74e63000) > libdl.so.2 => /lib/libdl.so.2 (0x00007f3a73079000) cat /proc/net/pf_ring/* > PF_RING Version : 5.0.0 ($Revision: exported$) > Ring slots : 4096 > Slot version : 13 > Capture TX : Yes [RX+TX] > IP Defragment : No > Socket Mode : Standard > Transparent mode : Yes (mode 0) > Total rings : 0 > Total plugins : 0 for i in $(pidof bro); do echo -n "Pid:$i " ; cat /proc/$i/environ | grep -w 'PCAP_PF_RING_CLUSTER_ID'; done Shows me that all instances exported the PCAP_PF_RING_CLUSTER_ID (also tested PCAP_PF_RING_USE_CLUSTER_PER_FLOW) Again, Traffic does not split between the workers, they see the same packets. On Nov 6, 2011, at 3:49, Seth Hall wrote: > > On Nov 5, 2011, at 5:21 PM, William Jones wrote: > >> Attached is a patch to fix the getenv problem. The were tow PCAP env variables that need a shell export statement. >> >> This will make PF_RING work so long as all the data is going into one interface or bonded interface. > > > What shell are you using? There is something messed up because those environment variables are already set and I think don't think you should need those lines in run-bro. I haven't seen anyone else that has needed those lines at least. > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111106/d042bac4/attachment.html From mcholste at gmail.com Sun Nov 6 08:05:30 2011 From: mcholste at gmail.com (Martin Holste) Date: Sun, 6 Nov 2011 10:05:30 -0600 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> <5740A071-7773-4AEB-A572-E1B41588137B@icir.org> <9465ED25-2CFF-4207-A410-72DA0575B1C8@icir.org> <395067EF-5A5C-4609-923B-8C46ED2A737D@icir.org> <586545D8-F1F0-4839-8E0F-9EA61499A25B@icir.org> Message-ID: What do you get for broctl status? On Sun, Nov 6, 2011 at 3:02 AM, Tomer Teller wrote: > > Seth, here is my configuration: > > > > Bro 2.0beta > > Running on Debian GNU/Linux 6.0 > > > > broctl config | grep pfring > >> pfringclusterid = 21 > > > > ldd bro > >> linux-vdso.so.1 =>? (0x00007fff41be1000) > >> libpcap.so.1 => /usr/local/pfring/lib/libpcap.so.1 (0x00007f3a74c0c000) > >> libpthread.so.0 => /lib/libpthread.so.0 (0x00007f3a749f0000) > >> libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0x00007f3a7479a000) > >> libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0x00007f3a743f9000) > >> libmagic.so.1 => /usr/lib/libmagic.so.1 (0x00007f3a741db000) > >> libz.so.1 => /usr/lib/libz.so.1 (0x00007f3a73fc3000) > >> libGeoIP.so.1 => /usr/lib/libGeoIP.so.1 (0x00007f3a73d8c000) > >> libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007f3a73a78000) > >> libm.so.6 => /lib/libm.so.6 (0x00007f3a737f5000) > >> libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00007f3a735df000) > >> libc.so.6 => /lib/libc.so.6 (0x00007f3a7327e000) > >> /lib64/ld-linux-x86-64.so.2 (0x00007f3a74e63000) > >> libdl.so.2 => /lib/libdl.so.2 (0x00007f3a73079000) > > > > > > cat /proc/net/pf_ring/* > >> PF_RING Version???? : 5.0.0 ($Revision: exported$) > >> Ring slots????????? : 4096 > >> Slot version??????? : 13 > >> Capture TX????????? : Yes [RX+TX] > >> IP Defragment?????? : No > >> Socket Mode???????? : Standard > >> Transparent mode??? : Yes (mode 0) > >> Total rings???????? : 0 > >> Total plugins?????? : 0 > > > > > > for i in? $(pidof bro); do echo -n "Pid:$i " ; cat /proc/$i/environ | grep > -w 'PCAP_PF_RING_CLUSTER_ID';? done > > > > Shows me that all instances exported the PCAP_PF_RING_CLUSTER_ID (also > tested PCAP_PF_RING_USE_CLUSTER_PER_FLOW) > > > > Again, Traffic does not split between the workers, they see the same > packets. > > > > On Nov 6, 2011, at 3:49, Seth Hall wrote: > > > On Nov 5, 2011, at 5:21 PM, William Jones wrote: > > Attached is a patch to fix the getenv problem. ?The were tow PCAP env > variables that need a shell export statement. > > This will make PF_RING work so long as all the data is going into one > interface or bonded interface. > > > What shell are you using? ?There is something messed up because those > environment variables are already set and I think don't think you should > need those lines in run-bro. ?I haven't seen anyone else that has needed > those lines at least. > > ?.Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > From djteller at gmail.com Sun Nov 6 08:26:01 2011 From: djteller at gmail.com (Tomer Teller) Date: Sun, 6 Nov 2011 18:26:01 +0200 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> <5740A071-7773-4AEB-A572-E1B41588137B@icir.org> <9465ED25-2CFF-4207-A410-72DA0575B1C8@icir.org> <395067EF-5A5C-4609-923B-8C46ED2A737D@icir.org> <586545D8-F1F0-4839-8E0F-9EA61499A25B@icir.org> Message-ID: <898DF184-07F2-4528-A882-A5E80C2B7D3B@gmail.com> Name Type Host Status Pid Peers Started manager manager localhost running 30614 3 06 Nov 18:01:09 proxy-1 proxy localhost running 30645 3 06 Nov 18:01:11 worker-1 worker localhost running 30688 2 06 Nov 18:01:13 worker-2 worker localhost running 30689 2 06 Nov 18:01:13 On Nov 6, 2011, at 18:05, Martin Holste wrote: > What do you get for broctl status? > > On Sun, Nov 6, 2011 at 3:02 AM, Tomer Teller wrote: >> >> Seth, here is my configuration: >> >> >> >> Bro 2.0beta >> >> Running on Debian GNU/Linux 6.0 >> >> >> >> broctl config | grep pfring >> >>> pfringclusterid = 21 >> >> >> >> ldd bro >> >>> linux-vdso.so.1 => (0x00007fff41be1000) >> >>> libpcap.so.1 => /usr/local/pfring/lib/libpcap.so.1 (0x00007f3a74c0c000) >> >>> libpthread.so.0 => /lib/libpthread.so.0 (0x00007f3a749f0000) >> >>> libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0x00007f3a7479a000) >> >>> libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0x00007f3a743f9000) >> >>> libmagic.so.1 => /usr/lib/libmagic.so.1 (0x00007f3a741db000) >> >>> libz.so.1 => /usr/lib/libz.so.1 (0x00007f3a73fc3000) >> >>> libGeoIP.so.1 => /usr/lib/libGeoIP.so.1 (0x00007f3a73d8c000) >> >>> libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007f3a73a78000) >> >>> libm.so.6 => /lib/libm.so.6 (0x00007f3a737f5000) >> >>> libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00007f3a735df000) >> >>> libc.so.6 => /lib/libc.so.6 (0x00007f3a7327e000) >> >>> /lib64/ld-linux-x86-64.so.2 (0x00007f3a74e63000) >> >>> libdl.so.2 => /lib/libdl.so.2 (0x00007f3a73079000) >> >> >> >> >> >> cat /proc/net/pf_ring/* >> >>> PF_RING Version : 5.0.0 ($Revision: exported$) >> >>> Ring slots : 4096 >> >>> Slot version : 13 >> >>> Capture TX : Yes [RX+TX] >> >>> IP Defragment : No >> >>> Socket Mode : Standard >> >>> Transparent mode : Yes (mode 0) >> >>> Total rings : 0 >> >>> Total plugins : 0 >> >> >> >> >> >> for i in $(pidof bro); do echo -n "Pid:$i " ; cat /proc/$i/environ | grep >> -w 'PCAP_PF_RING_CLUSTER_ID'; done >> >> >> >> Shows me that all instances exported the PCAP_PF_RING_CLUSTER_ID (also >> tested PCAP_PF_RING_USE_CLUSTER_PER_FLOW) >> >> >> >> Again, Traffic does not split between the workers, they see the same >> packets. >> >> >> >> On Nov 6, 2011, at 3:49, Seth Hall wrote: >> >> >> On Nov 5, 2011, at 5:21 PM, William Jones wrote: >> >> Attached is a patch to fix the getenv problem. The were tow PCAP env >> variables that need a shell export statement. >> >> This will make PF_RING work so long as all the data is going into one >> interface or bonded interface. >> >> >> What shell are you using? There is something messed up because those >> environment variables are already set and I think don't think you should >> need those lines in run-bro. I haven't seen anyone else that has needed >> those lines at least. >> >> .Seth >> >> -- >> Seth Hall >> International Computer Science Institute >> (Bro) because everyone has a network >> http://www.bro-ids.org/ >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111106/5e83184a/attachment.html From mcholste at gmail.com Sun Nov 6 12:22:22 2011 From: mcholste at gmail.com (Martin Holste) Date: Sun, 6 Nov 2011 14:22:22 -0600 Subject: [Bro] Bro performance issues In-Reply-To: <898DF184-07F2-4528-A882-A5E80C2B7D3B@gmail.com> References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> <5740A071-7773-4AEB-A572-E1B41588137B@icir.org> <9465ED25-2CFF-4207-A410-72DA0575B1C8@icir.org> <395067EF-5A5C-4609-923B-8C46ED2A737D@icir.org> <586545D8-F1F0-4839-8E0F-9EA61499A25B@icir.org> <898DF184-07F2-4528-A882-A5E80C2B7D3B@gmail.com> Message-ID: Wow, well I'm quite sure that PF_RING is not being used because you don't have /proc/net/pf_ring entries, but I have no idea why as the workers are obviously running and you have libpcap compiled with pf_ring support. On Sun, Nov 6, 2011 at 10:26 AM, Tomer Teller wrote: > Name ? ? ? Type ? ? ? Host ? ? ? Status ? ? ? ?Pid ? ?Peers ?Started > > manager ? ?manager ? ?localhost ?running ? ? ? 30614 ?3 ? ? ?06 Nov 18:01:09 > > proxy-1 ? ?proxy ? ? ?localhost ?running ? ? ? 30645 ?3 ? ? ?06 Nov 18:01:11 > > worker-1 ? worker ? ? localhost ?running ? ? ? 30688 ?2 ? ? ?06 Nov 18:01:13 > > worker-2 ? worker ? ? localhost ?running ? ? ? 30689 ?2 ? ? ?06 Nov 18:01:13 > > > > On Nov 6, 2011, at 18:05, Martin Holste wrote: > > What do you get for broctl status? > > On Sun, Nov 6, 2011 at 3:02 AM, Tomer Teller wrote: > > Seth, here is my configuration: > > > > Bro 2.0beta > > Running on Debian GNU/Linux 6.0 > > > > broctl config | grep pfring > > pfringclusterid = 21 > > > > ldd bro > > linux-vdso.so.1 =>? (0x00007fff41be1000) > > libpcap.so.1 => /usr/local/pfring/lib/libpcap.so.1 (0x00007f3a74c0c000) > > libpthread.so.0 => /lib/libpthread.so.0 (0x00007f3a749f0000) > > libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0x00007f3a7479a000) > > libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0x00007f3a743f9000) > > libmagic.so.1 => /usr/lib/libmagic.so.1 (0x00007f3a741db000) > > libz.so.1 => /usr/lib/libz.so.1 (0x00007f3a73fc3000) > > libGeoIP.so.1 => /usr/lib/libGeoIP.so.1 (0x00007f3a73d8c000) > > libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007f3a73a78000) > > libm.so.6 => /lib/libm.so.6 (0x00007f3a737f5000) > > libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00007f3a735df000) > > libc.so.6 => /lib/libc.so.6 (0x00007f3a7327e000) > > /lib64/ld-linux-x86-64.so.2 (0x00007f3a74e63000) > > libdl.so.2 => /lib/libdl.so.2 (0x00007f3a73079000) > > > > > > cat /proc/net/pf_ring/* > > PF_RING Version???? : 5.0.0 ($Revision: exported$) > > Ring slots????????? : 4096 > > Slot version??????? : 13 > > Capture TX????????? : Yes [RX+TX] > > IP Defragment?????? : No > > Socket Mode???????? : Standard > > Transparent mode??? : Yes (mode 0) > > Total rings???????? : 0 > > Total plugins?????? : 0 > > > > > > for i in? $(pidof bro); do echo -n "Pid:$i " ; cat /proc/$i/environ | grep > > -w 'PCAP_PF_RING_CLUSTER_ID';? done > > > > Shows me that all instances exported the PCAP_PF_RING_CLUSTER_ID (also > > tested PCAP_PF_RING_USE_CLUSTER_PER_FLOW) > > > > Again, Traffic does not split between the workers, they see the same > > packets. > > > > On Nov 6, 2011, at 3:49, Seth Hall wrote: > > > On Nov 5, 2011, at 5:21 PM, William Jones wrote: > > Attached is a patch to fix the getenv problem. ?The were tow PCAP env > > variables that need a shell export statement. > > This will make PF_RING work so long as all the data is going into one > > interface or bonded interface. > > > What shell are you using? ?There is something messed up because those > > environment variables are already set and I think don't think you should > > need those lines in run-bro. ?I haven't seen anyone else that has needed > > those lines at least. > > ?.Seth > > -- > > Seth Hall > > International Computer Science Institute > > (Bro) because everyone has a network > > http://www.bro-ids.org/ > > > From jones at tacc.utexas.edu Sun Nov 6 13:49:54 2011 From: jones at tacc.utexas.edu (William Jones) Date: Sun, 6 Nov 2011 21:49:54 +0000 Subject: [Bro] Max number of workes per node Message-ID: When my work count goes above 9 "broctl status" return the following status: Name Type Host Status Pid Peers Started manager manager homey.tacc.utexas.edu running 9134 10 06 Nov 15:44:57 proxy-1 proxy homey.tacc.utexas.edu running 9168 8 06 Nov 15:44:59 worker-1 worker mojo1.tacc.utexas.edu running 31935 2 06 Nov 15:45:02 worker-10 worker mojo1.tacc.utexas.edu running 362 2 06 Nov 15:45:36 worker-2 worker mojo1.tacc.utexas.edu running 31939 2 06 Nov 15:45:02 worker-3 worker mojo1.tacc.utexas.edu running 31940 2 06 Nov 15:45:02 worker-4 worker mojo1.tacc.utexas.edu running 31934 2 06 Nov 15:45:02 worker-5 worker mojo1.tacc.utexas.edu running 31941 2 06 Nov 15:45:02 worker-6 worker mojo1.tacc.utexas.edu running 31937 2 06 Nov 15:45:02 worker-7 worker mojo1.tacc.utexas.edu running 31943 2 06 Nov 15:45:02 worker-8 worker mojo1.tacc.utexas.edu running 31936 2 06 Nov 15:45:02 worker-9 worker mojo1.tacc.utexas.edu running 31938 ??? 06 Nov 15:45:02 The ??? on worke-9 will disappear if I remove worker-10. I think it only and display problem. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111106/a0131812/attachment.html From jones at tacc.utexas.edu Sun Nov 6 14:22:49 2011 From: jones at tacc.utexas.edu (William Jones) Date: Sun, 6 Nov 2011 22:22:49 +0000 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> <5740A071-7773-4AEB-A572-E1B41588137B@icir.org> <9465ED25-2CFF-4207-A410-72DA0575B1C8@icir.org> <395067EF-5A5C-4609-923B-8C46ED2A737D@icir.org> <586545D8-F1F0-4839-8E0F-9EA61499A25B@icir.org> Message-ID: Did you see the patch I sent to the list to export the PF_RING averment variables in run_bro. It should fix your problem. From: Tomer Teller [mailto:djteller at gmail.com] Sent: Sunday, November 06, 2011 3:02 AM To: Seth Hall Cc: William Jones; Martin Holste; bro at bro-ids.org Subject: Re: [Bro] Bro performance issues Seth, here is my configuration: Bro 2.0beta Running on Debian GNU/Linux 6.0 broctl config | grep pfring > pfringclusterid = 21 ldd bro > linux-vdso.so.1 => (0x00007fff41be1000) > libpcap.so.1 => /usr/local/pfring/lib/libpcap.so.1 (0x00007f3a74c0c000) > libpthread.so.0 => /lib/libpthread.so.0 (0x00007f3a749f0000) > libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0x00007f3a7479a000) > libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0x00007f3a743f9000) > libmagic.so.1 => /usr/lib/libmagic.so.1 (0x00007f3a741db000) > libz.so.1 => /usr/lib/libz.so.1 (0x00007f3a73fc3000) > libGeoIP.so.1 => /usr/lib/libGeoIP.so.1 (0x00007f3a73d8c000) > libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007f3a73a78000) > libm.so.6 => /lib/libm.so.6 (0x00007f3a737f5000) > libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00007f3a735df000) > libc.so.6 => /lib/libc.so.6 (0x00007f3a7327e000) > /lib64/ld-linux-x86-64.so.2 (0x00007f3a74e63000) > libdl.so.2 => /lib/libdl.so.2 (0x00007f3a73079000) cat /proc/net/pf_ring/* > PF_RING Version : 5.0.0 ($Revision: exported$) > Ring slots : 4096 > Slot version : 13 > Capture TX : Yes [RX+TX] > IP Defragment : No > Socket Mode : Standard > Transparent mode : Yes (mode 0) > Total rings : 0 > Total plugins : 0 for i in $(pidof bro); do echo -n "Pid:$i " ; cat /proc/$i/environ | grep -w 'PCAP_PF_RING_CLUSTER_ID'; done Shows me that all instances exported the PCAP_PF_RING_CLUSTER_ID (also tested PCAP_PF_RING_USE_CLUSTER_PER_FLOW) Again, Traffic does not split between the workers, they see the same packets. On Nov 6, 2011, at 3:49, Seth Hall > wrote: On Nov 5, 2011, at 5:21 PM, William Jones wrote: Attached is a patch to fix the getenv problem. The were tow PCAP env variables that need a shell export statement. This will make PF_RING work so long as all the data is going into one interface or bonded interface. What shell are you using? There is something messed up because those environment variables are already set and I think don't think you should need those lines in run-bro. I haven't seen anyone else that has needed those lines at least. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111106/87a12f89/attachment.html From jones at tacc.utexas.edu Sun Nov 6 14:43:11 2011 From: jones at tacc.utexas.edu (William Jones) Date: Sun, 6 Nov 2011 22:43:11 +0000 Subject: [Bro] Three patches Message-ID: * A python patches a few broctl scripts so they work with Redhat 5 * A patch to run-bor to export two environ variables to support PF_RING * A patch to src/Net.cc serialize the works opening of network interface when PF_RING is enabled and reading form multiple interface. This is to insure that each work has the same PF_RING slot index . This is need to to make PF_RING perflow option to work correctly There is a PF_RING limit of 8 fd per cluster id. This limits the number of works per host to 8. Bill Jones -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111106/5ffb9cd7/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: mutli_interface_pring.patch Type: application/octet-stream Size: 1666 bytes Desc: mutli_interface_pring.patch Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111106/5ffb9cd7/attachment.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: python.patch Type: application/octet-stream Size: 1863 bytes Desc: python.patch Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111106/5ffb9cd7/attachment-0001.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: run-bro_export.patch Type: application/octet-stream Size: 366 bytes Desc: run-bro_export.patch Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111106/5ffb9cd7/attachment-0002.obj From jones at tacc.utexas.edu Sun Nov 6 15:06:27 2011 From: jones at tacc.utexas.edu (William Jones) Date: Sun, 6 Nov 2011 23:06:27 +0000 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> <550075F8-0EC4-4F9F-BDD1-D5F9936BFD4A@icir.org> <5740A071-7773-4AEB-A572-E1B41588137B@icir.org> <9465ED25-2CFF-4207-A410-72DA0575B1C8@icir.org> <395067EF-5A5C-4609-923B-8C46ED2A737D@icir.org> <586545D8-F1F0-4839-8E0F-9EA61499A25B@icir.org> Message-ID: If just sent info at bro-ids.org three patch's to fix a few minor compatibility issues do to python version difference. A patch to export the PF_RING variables so that pf_ring libpcap can see PF_RING environment variables. A patch to serializes the bro works startup when opening multiple network interfaces when using PF_RING. FYI Seth I have been able to get 8 works reading 8 interfaces to work properly with PF_RING. There is a limit of 8 slots per cluster id in PF_RING. There a good chance that it can be increased with out any performance losses, that will have to be tested. There may also may be some internal limitation with bro when the number of workers go above 8. Bill Jones -----Original Message----- From: Martin Holste [mailto:mcholste at gmail.com] Sent: Sunday, November 06, 2011 10:06 AM To: Tomer Teller Cc: Seth Hall; William Jones; bro at bro-ids.org Subject: Re: [Bro] Bro performance issues What do you get for broctl status? On Sun, Nov 6, 2011 at 3:02 AM, Tomer Teller wrote: > > Seth, here is my configuration: > > > > Bro 2.0beta > > Running on Debian GNU/Linux 6.0 > > > > broctl config | grep pfring > >> pfringclusterid = 21 > > > > ldd bro > >> linux-vdso.so.1 =>? (0x00007fff41be1000) > >> libpcap.so.1 => /usr/local/pfring/lib/libpcap.so.1 (0x00007f3a74c0c000) > >> libpthread.so.0 => /lib/libpthread.so.0 (0x00007f3a749f0000) > >> libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0x00007f3a7479a000) > >> libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0x00007f3a743f9000) > >> libmagic.so.1 => /usr/lib/libmagic.so.1 (0x00007f3a741db000) > >> libz.so.1 => /usr/lib/libz.so.1 (0x00007f3a73fc3000) > >> libGeoIP.so.1 => /usr/lib/libGeoIP.so.1 (0x00007f3a73d8c000) > >> libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007f3a73a78000) > >> libm.so.6 => /lib/libm.so.6 (0x00007f3a737f5000) > >> libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00007f3a735df000) > >> libc.so.6 => /lib/libc.so.6 (0x00007f3a7327e000) > >> /lib64/ld-linux-x86-64.so.2 (0x00007f3a74e63000) > >> libdl.so.2 => /lib/libdl.so.2 (0x00007f3a73079000) > > > > > > cat /proc/net/pf_ring/* > >> PF_RING Version???? : 5.0.0 ($Revision: exported$) > >> Ring slots????????? : 4096 > >> Slot version??????? : 13 > >> Capture TX????????? : Yes [RX+TX] > >> IP Defragment?????? : No > >> Socket Mode???????? : Standard > >> Transparent mode??? : Yes (mode 0) > >> Total rings???????? : 0 > >> Total plugins?????? : 0 > > > > > > for i in? $(pidof bro); do echo -n "Pid:$i " ; cat /proc/$i/environ | grep > -w 'PCAP_PF_RING_CLUSTER_ID';? done > > > > Shows me that all instances exported the PCAP_PF_RING_CLUSTER_ID (also > tested PCAP_PF_RING_USE_CLUSTER_PER_FLOW) > > > > Again, Traffic does not split between the workers, they see the same > packets. > > > > On Nov 6, 2011, at 3:49, Seth Hall wrote: > > > On Nov 5, 2011, at 5:21 PM, William Jones wrote: > > Attached is a patch to fix the getenv problem. ?The were tow PCAP env > variables that need a shell export statement. > > This will make PF_RING work so long as all the data is going into one > interface or bonded interface. > > > What shell are you using? ?There is something messed up because those > environment variables are already set and I think don't think you should > need those lines in run-bro. ?I haven't seen anyone else that has needed > those lines at least. > > ?.Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > From mcholste at gmail.com Sun Nov 6 17:31:17 2011 From: mcholste at gmail.com (Martin Holste) Date: Sun, 6 Nov 2011 19:31:17 -0600 Subject: [Bro] Three patches In-Reply-To: References: Message-ID: If you modify CLUSTER_LEN in pfring.h when installing PF_RING, you can up the cluster worker limit. I needed to do this for my 16-core boxes. On Sun, Nov 6, 2011 at 4:43 PM, William Jones wrote: > ????????? A ?python patches a few broctl scripts so they work with Redhat 5 > > ????????? A patch to run-bor to export two environ variables to support > PF_RING > > ????????? A patch to src/Net.cc? serialize the works opening of network > interface when PF_RING is enabled and reading form multiple interface. This > is to insure that each work has the same PF_RING slot index . This is need > to to make PF_RING perflow option to work correctly > > > > There is a PF_RING limit of 8 fd per cluster id.? ?This limits the number of > works per host to 8. > > > > Bill Jones > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From JAzoff at albany.edu Tue Nov 8 08:05:58 2011 From: JAzoff at albany.edu (Justin Azoff) Date: Tue, 8 Nov 2011 11:05:58 -0500 Subject: [Bro] broccoli/swig issue with 2.0-beta Message-ID: <20111108160558.GC6004@datacomm.albany.edu> 10073 ~ % sudo /spare/tmp/bro/bin/broctl status warning: removing stale lock Name Type Host Status Pid Peers Started Traceback (most recent call last): File "/spare/tmp/bro/bin/broctl", line 888, in loop.onecmd(line) File "/usr/lib/python2.5/cmd.py", line 219, in onecmd return func(arg) File "/spare/tmp/bro/bin/broctl", line 280, in do_status control.status(nodes) File "/spare/tmp/bro/lib/broctl/BroControl/control.py", line 495, in status for (node, success, args) in _queryPeerStatus(nodes): File "/spare/tmp/bro/lib/broctl/BroControl/control.py", line 1049, in _queryPeerStatus return execute.sendEventsParallel(events) File "/spare/tmp/bro/lib/broctl/BroControl/execute.py", line 513, in sendEventsParallel (success, bc) = _sendEventInit(node, event, args, result_event) File "/spare/tmp/bro/lib/broctl/BroControl/execute.py", line 529, in _sendEventInit flags=broccoli.BRO_CFLAG_ALWAYS_QUEUE, connect=False) File "/spare/tmp/bro/lib/broctl/broccoli.py", line 14, in __init__ self.bc = bro_conn_new_str(destination, flags) TypeError: in method 'bro_conn_new_str', argument 1 of type 'char const *' abnormal termination, saving state ... I verified that 'destination' is a string containing host:port. -- -- Justin Azoff -- Network Security & Performance Analyst From JAzoff at albany.edu Tue Nov 8 08:18:29 2011 From: JAzoff at albany.edu (Justin Azoff) Date: Tue, 8 Nov 2011 11:18:29 -0500 Subject: [Bro] broccoli/swig issue with 2.0-beta In-Reply-To: <20111108160558.GC6004@datacomm.albany.edu> References: <20111108160558.GC6004@datacomm.albany.edu> Message-ID: <20111108161829.GD6004@datacomm.albany.edu> On Tue, Nov 08, 2011 at 11:05:58AM -0500, Justin Azoff wrote: > TypeError: in method 'bro_conn_new_str', argument 1 of type 'char const *' > abnormal termination, saving state ... Ah.. False alarm. My system has 2 python versions installed plus a local python environment. The fix here was to reset PATH to make sure bro was built against, and ran against, the default system wide python install. I believe the error is caused by building against one version of python, but running against a different one. -- -- Justin Azoff -- Network Security & Performance Analyst From laizhiquan at gmail.com Wed Nov 9 19:53:06 2011 From: laizhiquan at gmail.com (zhiquan lai) Date: Thu, 10 Nov 2011 11:53:06 +0800 Subject: [Bro] A question about loading signature files In-Reply-To: <20111020015633.GG21245@icir.org> References: <20111020015633.GG21245@icir.org> Message-ID: Hi, Dear Robin, Actually, I didn't understand why you didn't recommend using the Snort signature, which is am important module of Bro just as mentioned in the manual. But, recently, I'm trying to use Snort2bro to translate new Snort Rule set to Bro's signature. Unfortunately, I found that Snort2bro does not support some elements of snort like "pcre" which is critical in detecting. Is this why you didn't recommend using the Snort signature? You said that the Snort signature is not generally really useful with Bro. What did you mean with that? What about improving Snort2bro to support "pcre" and other elements in Snort. Does this work count? Thanks, Quan >They are not only very old, but also generally not really > useful with Bro. On Thu, Oct 20, 2011 at 9:56 AM, Robin Sommer wrote: > > On Thu, Oct 20, 2011 at 00:02 +0800, you wrote: > > > However, when Bro loaded test.bro, many errors like > > "smtp_servers(http_servers ...) didn't defined". > > These are defined in snort.bro, you can just load that. > > However, frankly, I don't recommend using the Snort signature at all > anymore. They are not only very old, but also generally not really > useful with Bro. > > Robin > > -- > Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111110/82620abd/attachment.html From ngo at lvk.cs.msu.su Thu Nov 10 05:07:41 2011 From: ngo at lvk.cs.msu.su (George Noseevich) Date: Thu, 10 Nov 2011 17:07:41 +0400 Subject: [Bro] Exporting bro alarms and notices Message-ID: <4EBBCC9D.2010507@lvk.cs.msu.su> Hello members of the mailing list. What is the proper way to export alarms generated by bro for further processing/import into another ids? As far as I understand the docs, bro by default dumps generated alarms to the file or can send them via email. Is there a way to extend bro to enable e.g. storing alarms in a database? Or maybe there is a way to subscribe to alarms from broccoli-enabled custom app (though as far as I understand the docs, via broccoli one can only subscribe to bro's events, not alerts or notices)? The only way to achieve alarm export I see at the moment is to parse the logfile, which is obviously an ugly cludge. Thanks in advance for your answers. PS. And could you please clarify what is the current status of IDMEF support in bro? -- George. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111110/f2f1ae03/attachment.html From lruppert at syr.edu Thu Nov 10 05:42:35 2011 From: lruppert at syr.edu (Louis F Ruppert) Date: Thu, 10 Nov 2011 13:42:35 +0000 Subject: [Bro] Exporting bro alarms and notices In-Reply-To: <4EBBCC9D.2010507@lvk.cs.msu.su> References: <4EBBCC9D.2010507@lvk.cs.msu.su> Message-ID: <18FF0D6321F4A24D901F7651020E931906FA04@SUEX10-mbx-05.ad.syr.edu> Hello. If you're using 1.5.x, you can export alarms via syslog like this: redef enable_syslog = T; Some of my installations use prelude's LML to then pull the syslogged alerts in and mix them with the other NIDS/HIDS data. If you're using 2.x beta, Martin did a good writeup here on how to use rsyslog to syslog them to another server: http://ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.html I'm glad you asked about the IDMEF support. I've been making some noise for that as well. :) -Lou -- Lou Ruppert Intrusion Analyst, GCFA Information Security Syracuse University ________________________________ From: bro-bounces at bro-ids.org [bro-bounces at bro-ids.org] on behalf of George Noseevich [ngo at lvk.cs.msu.su] Sent: Thursday, November 10, 2011 8:07 AM To: bro at bro-ids.org Subject: [Bro] Exporting bro alarms and notices Hello members of the mailing list. What is the proper way to export alarms generated by bro for further processing/import into another ids? As far as I understand the docs, bro by default dumps generated alarms to the file or can send them via email. Is there a way to extend bro to enable e.g. storing alarms in a database? Or maybe there is a way to subscribe to alarms from broccoli-enabled custom app (though as far as I understand the docs, via broccoli one can only subscribe to bro's events, not alerts or notices)? The only way to achieve alarm export I see at the moment is to parse the logfile, which is obviously an ugly cludge. Thanks in advance for your answers. PS. And could you please clarify what is the current status of IDMEF support in bro? -- George. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111110/b4fd5002/attachment.html From ngo at lvk.cs.msu.su Thu Nov 10 05:52:52 2011 From: ngo at lvk.cs.msu.su (George Noseevich) Date: Thu, 10 Nov 2011 17:52:52 +0400 Subject: [Bro] Exporting bro alarms and notices In-Reply-To: <18FF0D6321F4A24D901F7651020E931906FA04@SUEX10-mbx-05.ad.syr.edu> References: <4EBBCC9D.2010507@lvk.cs.msu.su> <18FF0D6321F4A24D901F7651020E931906FA04@SUEX10-mbx-05.ad.syr.edu> Message-ID: <4EBBD734.2070101@lvk.cs.msu.su> Thanks for your answer. So is the syslog logging (either local or remote) the only alternative to logiles? No database nor ability to add custom log-processing hooks? As for IDSMEF, I don't personnaly like the format (bloated xml messages are a nightmare) but it seems this is the only option to handle alerts in a mixed IDS/IPS environment. On 10.11.2011 17:42, Louis F Ruppert wrote: > Hello. > > If you're using 1.5.x, you can export alarms via syslog like this: > > redef enable_syslog = T; > > Some of my installations use prelude's LML to then pull the syslogged > alerts in and mix them with the other NIDS/HIDS data. > > If you're using 2.x beta, Martin did a good writeup here on how to use > rsyslog to syslog them to another server: > > http://ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.html > > I'm glad you asked about the IDMEF support. I've been making some > noise for that as well. :) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111110/a5a5a275/attachment.html From robin at icir.org Thu Nov 10 06:23:40 2011 From: robin at icir.org (Robin Sommer) Date: Thu, 10 Nov 2011 06:23:40 -0800 Subject: [Bro] Exporting bro alarms and notices In-Reply-To: <4EBBD734.2070101@lvk.cs.msu.su> References: <4EBBCC9D.2010507@lvk.cs.msu.su> <18FF0D6321F4A24D901F7651020E931906FA04@SUEX10-mbx-05.ad.syr.edu> <4EBBD734.2070101@lvk.cs.msu.su> Message-ID: <20111110142340.GC56945@icir.org> On Thu, Nov 10, 2011 at 17:52 +0400, George Noseevich wrote: > So is the syslog logging (either local or remote) the only alternative > to logiles? No database nor ability to add custom log-processing hooks? No DB interface right now but the new 2.0 logging framework does allow to plugin different logging backends. Currently, we only have the ASCII writer that produces the *.log file you're seeing, but binary output and DB writers are planned. In fact, there's already a patch in the tracker adding CouchDB support: http://tracker.bro-ids.org/bro/ticket/634 > As for IDSMEF, I don't personnaly like the format (bloated xml messages > are a nightmare) but it seems this is the only option to handle alerts > in a mixed IDS/IPS environment. Yeah, IDMEF is something we should add. Not totally clear to me yet though how exactly that would look like on the implementation side. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From mcholste at gmail.com Thu Nov 10 09:17:40 2011 From: mcholste at gmail.com (Martin Holste) Date: Thu, 10 Nov 2011 11:17:40 -0600 Subject: [Bro] Exporting bro alarms and notices In-Reply-To: <20111110142340.GC56945@icir.org> References: <4EBBCC9D.2010507@lvk.cs.msu.su> <18FF0D6321F4A24D901F7651020E931906FA04@SUEX10-mbx-05.ad.syr.edu> <4EBBD734.2070101@lvk.cs.msu.su> <20111110142340.GC56945@icir.org> Message-ID: > No DB interface right now but the new 2.0 logging framework does allow > to plugin different logging backends. Currently, we only have the > ASCII writer that produces the *.log file you're seeing, but binary > output and DB writers are planned. In fact, there's already a patch in > the tracker adding CouchDB support: > Careful on the CouchDB stuff: the write performance is atrocious over a sustained period. I couldn't get a single-node install to receive more than a few hundred events per second. MongoDB will give you a sustained few thousand writes per second, depending on how many indexes you've created on the collection. Even writing JSON blobs to any traditional database works surprisingly well for most uses, especially if you have it write to a few key-value columns for quick indexing. In the near-term, as I talked about at the workshop, I'll be announcing an official ELSA release early next week which will read syslog and handle grepping, basic reporting, and alerting for you from a web interface. (I didn't get to cover alerting in the talk, but it's fully integrated as well. There's also a CLI interface I didn't cover, so you can use it like bro-cut. From seth at icir.org Fri Nov 11 06:37:03 2011 From: seth at icir.org (Seth Hall) Date: Fri, 11 Nov 2011 09:37:03 -0500 Subject: [Bro] A question about loading signature files In-Reply-To: References: <20111020015633.GG21245@icir.org> Message-ID: <79B44181-BAE3-4E12-97CE-5CBA762D44DB@icir.org> On Nov 9, 2011, at 10:53 PM, zhiquan lai wrote: > But, recently, I'm trying to use Snort2bro to translate new Snort Rule set to Bro's signature. Unfortunately, I found that Snort2bro does not support some elements of snort like "pcre" which is critical in detecting. Is this why you didn't recommend using the Snort signature? Bro 2.0-beta doesn't have the snort2bro utility anymore due to it's lagging support for more modern Snort features. If you being relying on it with 1.5, understand that you may not be able to migrate that support to 2.0 and future releases. We actually have an alternate approach to the Snort rule language now. The Barnyard2 project has a Bro output plugin so that Bro can receive alerts from Snort and Suricata for further correlation and analysis. As you probably understand, it makes the most sense to run those rules in the tool they were originally written and tested for. If we continued attempting to support Snort rules, there is no saying that we would actually be interpreting them completely correctly. If you are interested in improving Bro's signature support we can certainly talk more. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From jones at tacc.utexas.edu Mon Nov 14 10:45:37 2011 From: jones at tacc.utexas.edu (William Jones) Date: Mon, 14 Nov 2011 18:45:37 +0000 Subject: [Bro] PF_RING has a memory leek Message-ID: FYI It is not releasing memory when you restart bro. After enough restarst all the memory on the system will be exhausted and the machine will crash. Bill Jones -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111114/48f3771d/attachment.html From mcholste at gmail.com Mon Nov 14 11:12:12 2011 From: mcholste at gmail.com (Martin Holste) Date: Mon, 14 Nov 2011 13:12:12 -0600 Subject: [Bro] PF_RING has a memory leek In-Reply-To: References: Message-ID: What does it do with a stop/start? Also, what version of PF_RING are you using? (cat /proc/net/pf_ring/info). On Mon, Nov 14, 2011 at 12:45 PM, William Jones wrote: > FYI > > > > It is not releasing memory when you restart bro.? ?After enough restarst all > the memory on the system will be exhausted ??and the machine will crash. > > > > > > Bill Jones > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From seth at icir.org Mon Nov 14 13:50:23 2011 From: seth at icir.org (Seth Hall) Date: Mon, 14 Nov 2011 16:50:23 -0500 Subject: [Bro] Finding out which worker is seeing connections Message-ID: <4DDA412D-162B-449F-AB40-82B438CDB216@icir.org> I got a question today about how to figure out which worker is seeing connections in a large cluster so I whipped up some code quickly to help find out. I'm including it here because I think it may help others too. ====begin===== redef record Conn::Info += { peer: string &log &optional; }; event connection_state_remove(c: connection) { if ( c?$conn ) c$conn$peer = peer_description; } ====end===== That will include a "peer" column in your conn.log that indicates which worker analyzed the connection. You should probably include this code in a new file in your site/ directory and load the file in local.bro. Since the file is in your site/ directory you won't need to add any directory prefixes and you can load the file directly. If you place the file into /share/bro/site/conn-peer-extension.bro you can load it in local.bro with "@load conn-peer-extension". .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From laizhiquan at gmail.com Mon Nov 14 17:03:58 2011 From: laizhiquan at gmail.com (zhiquan lai) Date: Tue, 15 Nov 2011 09:03:58 +0800 Subject: [Bro] A question about loading signature files In-Reply-To: <79B44181-BAE3-4E12-97CE-5CBA762D44DB@icir.org> References: <20111020015633.GG21245@icir.org> <79B44181-BAE3-4E12-97CE-5CBA762D44DB@icir.org> Message-ID: I will go to Bro 2.0-beta and Barnyard2 project, and come back if any question:) Thanks Quan On Fri, Nov 11, 2011 at 10:37 PM, Seth Hall wrote: > > On Nov 9, 2011, at 10:53 PM, zhiquan lai wrote: > > > But, recently, I'm trying to use Snort2bro to translate new Snort Rule > set to Bro's signature. Unfortunately, I found that Snort2bro does not > support some elements of snort like "pcre" which is critical in detecting. > Is this why you didn't recommend using the Snort signature? > > Bro 2.0-beta doesn't have the snort2bro utility anymore due to it's > lagging support for more modern Snort features. If you being relying on it > with 1.5, understand that you may not be able to migrate that support to > 2.0 and future releases. > > We actually have an alternate approach to the Snort rule language now. > The Barnyard2 project has a Bro output plugin so that Bro can receive > alerts from Snort and Suricata for further correlation and analysis. As > you probably understand, it makes the most sense to run those rules in the > tool they were originally written and tested for. If we continued > attempting to support Snort rules, there is no saying that we would > actually be interpreting them completely correctly. > > If you are interested in improving Bro's signature support we can > certainly talk more. > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111115/1d685196/attachment.html From seth at icir.org Tue Nov 15 05:13:02 2011 From: seth at icir.org (Seth Hall) Date: Tue, 15 Nov 2011 08:13:02 -0500 Subject: [Bro] A question about loading signature files In-Reply-To: References: <20111020015633.GG21245@icir.org> <79B44181-BAE3-4E12-97CE-5CBA762D44DB@icir.org> Message-ID: On Nov 14, 2011, at 8:03 PM, zhiquan lai wrote: > I will go to Bro 2.0-beta and Barnyard2 project, and come back if any question:) Thanks! Let me know if you encounter any trouble with the Barnyard2 output plugin or Bro. I haven't touched the Barnyard2 code in over a year at this point but I'm certainly still willing to make fixes and updates to it. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From trogdorsey at gmail.com Wed Nov 16 07:54:21 2011 From: trogdorsey at gmail.com (David Dorsey) Date: Wed, 16 Nov 2011 08:54:21 -0700 Subject: [Bro] Problem extracting files Message-ID: I'm trying to extract PDF files using the bro 2.0 beta, so I added the following line to share/bro/site/local.bro. redef HTTP::extract_file_types = /application\/pdf/; However, no files are being extracted. And if I open up BroControl and print out that variable, I get this: [BroControl] > print HTTP::extract_file_types bro HTTP::extract_file_types = /^?(NO_DEFAULT)$?/ [BroControl] > Is there another variable I need to set? Thanks, David -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111116/dd6cef0c/attachment.html From seth at icir.org Wed Nov 16 08:38:51 2011 From: seth at icir.org (Seth Hall) Date: Wed, 16 Nov 2011 11:38:51 -0500 Subject: [Bro] Problem extracting files In-Reply-To: References: Message-ID: On Nov 16, 2011, at 10:54 AM, David Dorsey wrote: > [BroControl] > print HTTP::extract_file_types > bro HTTP::extract_file_types = /^?(NO_DEFAULT)$?/ > [BroControl] > > > Is there another variable I need to set? After you added the redef, did you do the check, install, restart dance in broctl? Brocontrol uses cached copies of the scripts so that the running scripts are only updated when you are ready with the "install" command. Variables that you redef can also be modified at runtime with the "update" command so instead you could do check, install, update. If you use the print command before and after you should see the change reflected. There is a bug in the HTTP file extraction in the beta too where it only extracts an initial chunk of the file, it's fixed in the git repository already though. Files will also be extracted to the spool/bro directory too (assuming you haven't changed your node.cfg) and I don't know how they will be handled upon file rotation. We haven't had time to put a lot of thought to live traffic file extraction on clusters or with BroControl so behavior is a little unknown currently. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From trogdorsey at gmail.com Wed Nov 16 08:47:46 2011 From: trogdorsey at gmail.com (David Dorsey) Date: Wed, 16 Nov 2011 09:47:46 -0700 Subject: [Bro] Problem extracting files In-Reply-To: References: Message-ID: Ah, apparently I have two left feet, since I didn't do the check and install part of the dance. And thanks for the tip on the HTTP extraction bug, that explains why every pdf is only 1500 bytes. :o) I'll grab the update from the GIT repo. David On Wed, Nov 16, 2011 at 9:38 AM, Seth Hall wrote: > > On Nov 16, 2011, at 10:54 AM, David Dorsey wrote: > > > [BroControl] > print HTTP::extract_file_types > > bro HTTP::extract_file_types = /^?(NO_DEFAULT)$?/ > > [BroControl] > > > > > Is there another variable I need to set? > > After you added the redef, did you do the check, install, restart dance in > broctl? Brocontrol uses cached copies of the scripts so that the running > scripts are only updated when you are ready with the "install" command. > > Variables that you redef can also be modified at runtime with the "update" > command so instead you could do check, install, update. If you use the > print command before and after you should see the change reflected. There > is a bug in the HTTP file extraction in the beta too where it only extracts > an initial chunk of the file, it's fixed in the git repository already > though. > > Files will also be extracted to the spool/bro directory too (assuming you > haven't changed your node.cfg) and I don't know how they will be handled > upon file rotation. We haven't had time to put a lot of thought to live > traffic file extraction on clusters or with BroControl so behavior is a > little unknown currently. > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111116/9967b41d/attachment.html From seth at icir.org Wed Nov 16 08:55:30 2011 From: seth at icir.org (Seth Hall) Date: Wed, 16 Nov 2011 11:55:30 -0500 Subject: [Bro] Problem extracting files In-Reply-To: References: Message-ID: On Nov 16, 2011, at 11:47 AM, David Dorsey wrote: > Ah, apparently I have two left feet, since I didn't do the check and install part of the dance. We don't have it documented very clearly yet (unless I'm mistaken?) so don't feel bad. :) > And thanks for the tip on the HTTP extraction bug, that explains why every pdf is only 1500 bytes. :o) I'll grab the update from the GIT repo. It's in master so after you clone the repository it should already be in place. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From mathew.binkley at vanderbilt.edu Wed Nov 16 09:28:39 2011 From: mathew.binkley at vanderbilt.edu (Mathew Binkley) Date: Wed, 16 Nov 2011 11:28:39 -0600 Subject: [Bro] Adding SSL certs to Bro 2.0 Message-ID: <4EC3F2C7.50206@vanderbilt.edu> Hi! I've been testing the 2.0 beta (kudos, btw). My alarm files is getting tons of SSL::Invalid_Server_Cert from our own local certs, doegrid certs, cern.ch, fnal.gov, presumably because the root CA cert for those is not included with either Bro or the OS. I see share/bro/base/protocols/ssl/mozilla-ca-list has a bundle of root CA certs. Is there a way to add our own to that or to a separate file? How is that file generated? Thanks. Mat From sri at basam.org Wed Nov 16 09:35:37 2011 From: sri at basam.org (sridhar basam) Date: Wed, 16 Nov 2011 12:35:37 -0500 Subject: [Bro] Adding SSL certs to Bro 2.0 In-Reply-To: <4EC3F2C7.50206@vanderbilt.edu> References: <4EC3F2C7.50206@vanderbilt.edu> Message-ID: On Wed, Nov 16, 2011 at 12:28 PM, Mathew Binkley < mathew.binkley at vanderbilt.edu> wrote: > Hi! I've been testing the 2.0 beta (kudos, btw). My alarm files is > getting tons of SSL::Invalid_Server_Cert from our own local certs, > doegrid certs, cern.ch, fnal.gov, presumably because the root CA cert > for those is not included with either Bro or the OS. > > I see share/bro/base/protocols/ssl/mozilla-ca-list has a bundle of root > CA certs. Is there a way to add our own to that or to a separate file? > How is that file generated? Thanks. > > > share/bro/site/local.bro redef the list to append your local entries. Sridhar -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111116/dfb20ec0/attachment.html From seth at icir.org Wed Nov 16 10:16:40 2011 From: seth at icir.org (Seth Hall) Date: Wed, 16 Nov 2011 13:16:40 -0500 Subject: [Bro] Adding SSL certs to Bro 2.0 In-Reply-To: <4EC3F2C7.50206@vanderbilt.edu> References: <4EC3F2C7.50206@vanderbilt.edu> Message-ID: <3BCA38E4-AA36-4D3D-8DE0-E826D44C2B64@icir.org> On Nov 16, 2011, at 12:28 PM, Mathew Binkley wrote: > Hi! I've been testing the 2.0 beta (kudos, btw). Great, thanks! > I see share/bro/base/protocols/ssl/mozilla-ca-list has a bundle of root > CA certs. Is there a way to add our own to that or to a separate file? > How is that file generated? Thanks. We have a exercise from the workshop that specifically addresses this situation. We will be posting the workshop material really soon too. Ultimately, you need to take a DER formatted version of your root public key and convert it to Bro's hex string representation and add it to the SSL::root_certs table. Like this.... redef SSL::root_certs += { ["your root certificates subject"] = "\x30\x82\x03\x75\x30\x82"; }; You can add that to the bottom of your local.bro file as Sridhar recommended. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From lruppert at syr.edu Wed Nov 16 13:16:58 2011 From: lruppert at syr.edu (Louis F Ruppert) Date: Wed, 16 Nov 2011 21:16:58 +0000 Subject: [Bro] Adding SSL certs to Bro 2.0 In-Reply-To: <3BCA38E4-AA36-4D3D-8DE0-E826D44C2B64@icir.org> References: <4EC3F2C7.50206@vanderbilt.edu>, <3BCA38E4-AA36-4D3D-8DE0-E826D44C2B64@icir.org> Message-ID: <18FF0D6321F4A24D901F7651020E931908EA0B@SUEX10-mbx-05.ad.syr.edu> The semicolon at the end of the second line errors. Removing it causes it to work. If anyone's interested, I have a sloppy python script that will take a "standard" .pem cert and output a valid "redef SSL::root_certs += {..." stanza like the one Seth wrote. I tested it with the cacert root sig and it's happy with my certs now. :) -Lou -- Lou Ruppert Intrusion Analyst, GCFA Information Security Syracuse University ________________________________________ From: bro-bounces at bro-ids.org [bro-bounces at bro-ids.org] on behalf of Seth Hall [seth at icir.org] Sent: Wednesday, November 16, 2011 1:16 PM To: Mathew Binkley Cc: bro at bro-ids.org Subject: Re: [Bro] Adding SSL certs to Bro 2.0 On Nov 16, 2011, at 12:28 PM, Mathew Binkley wrote: > Hi! I've been testing the 2.0 beta (kudos, btw). Great, thanks! > I see share/bro/base/protocols/ssl/mozilla-ca-list has a bundle of root > CA certs. Is there a way to add our own to that or to a separate file? > How is that file generated? Thanks. We have a exercise from the workshop that specifically addresses this situation. We will be posting the workshop material really soon too. Ultimately, you need to take a DER formatted version of your root public key and convert it to Bro's hex string representation and add it to the SSL::root_certs table. Like this.... redef SSL::root_certs += { ["your root certificates subject"] = "\x30\x82\x03\x75\x30\x82"; }; You can add that to the bottom of your local.bro file as Sridhar recommended. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From mathew.binkley at vanderbilt.edu Wed Nov 16 13:25:01 2011 From: mathew.binkley at vanderbilt.edu (Mathew Binkley) Date: Wed, 16 Nov 2011 15:25:01 -0600 Subject: [Bro] Adding SSL certs to Bro 2.0 In-Reply-To: <18FF0D6321F4A24D901F7651020E931908EA0B@SUEX10-mbx-05.ad.syr.edu> References: <4EC3F2C7.50206@vanderbilt.edu>, <3BCA38E4-AA36-4D3D-8DE0-E826D44C2B64@icir.org> <18FF0D6321F4A24D901F7651020E931908EA0B@SUEX10-mbx-05.ad.syr.edu> Message-ID: <4EC42A2D.7000803@vanderbilt.edu> On 11/16/2011 03:16 PM, Louis F Ruppert wrote: > If anyone's interested, I have a sloppy python script that will take > a "standard" .pem cert and output a valid "redef SSL::root_certs += > {..." stanza like the one Seth wrote. I tested it with the cacert > root sig and it's happy with my certs now. :) I would definitely be interested. Mat From mathew.binkley at vanderbilt.edu Wed Nov 16 17:14:36 2011 From: mathew.binkley at vanderbilt.edu (Mathew Binkley) Date: Wed, 16 Nov 2011 19:14:36 -0600 Subject: [Bro] Adding SSL certs to Bro 2.0 In-Reply-To: <3BCA38E4-AA36-4D3D-8DE0-E826D44C2B64@icir.org> References: <4EC3F2C7.50206@vanderbilt.edu> <3BCA38E4-AA36-4D3D-8DE0-E826D44C2B64@icir.org> Message-ID: <4EC45FFC.20106@vanderbilt.edu> I heard back from some of the guys at FNAL, and they pointed out the FNAL CA cert is part of the IGTF distro: http://www.igtf.net and 3 tarball of certs at: https://dist.eugridpma.info/distribution/igtf/current/accredited/ That covers most of the major scientific/research CA's I know of. Adding those to Bro would complement the list of commercial CA's extracted from Mozilla. Mat From seth at icir.org Wed Nov 16 18:40:22 2011 From: seth at icir.org (Seth Hall) Date: Wed, 16 Nov 2011 21:40:22 -0500 Subject: [Bro] Adding SSL certs to Bro 2.0 In-Reply-To: <4EC45FFC.20106@vanderbilt.edu> References: <4EC3F2C7.50206@vanderbilt.edu> <3BCA38E4-AA36-4D3D-8DE0-E826D44C2B64@icir.org> <4EC45FFC.20106@vanderbilt.edu> Message-ID: <5428D101-48B5-4066-8D6C-8FED05E5739F@icir.org> On Nov 16, 2011, at 8:14 PM, Mathew Binkley wrote: > I heard back from some of the guys at FNAL, and they pointed out the > FNAL CA cert is part of the IGTF distro: > > http://www.igtf.net > > and 3 tarball of certs at: Ah, cool. I think this might make a good contribution to the upcoming contributed scripts repository. We are still trying to iron out the details about how it will work, but it is coming. The Mozilla root CA list might even get moved to the contributed scripts repository eventually so that we can keep it updated more easily between releases. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From ngo at lvk.cs.msu.su Wed Nov 16 23:57:18 2011 From: ngo at lvk.cs.msu.su (George Noseevich) Date: Thu, 17 Nov 2011 11:57:18 +0400 Subject: [Bro] Question about port scan detection and raising alarms Message-ID: <4EC4BE5E.1080104@lvk.cs.msu.su> Hello! I wonder, is the port scan detection functionality present in bro 2.0, and if it is, how to enable it? I am starting bro with scripts/test-all-policy.bro, which should (I suppose) enable all built-in analyzers, then perform a standart nmap SYN scan of the host running bro. After that, I shutdown bro and examine the results. However, nothing related to scanning is shown in notice.log, and the alarm.log even doesn't get created. Am I missing some important steps here? I'm running bro directly via cli: bro -i eth0 scripts/test-all-policy.bro As a side question: what is the easiest way to test bro's alarm-triggering? What I need is a sample pcap file (or some kind of instructions), which will trigger alarms in a default bro configuration (freshly-build bro run with scripts that are distributed with bro itself). Thanks From jones at tacc.utexas.edu Thu Nov 17 09:54:29 2011 From: jones at tacc.utexas.edu (William Jones) Date: Thu, 17 Nov 2011 17:54:29 +0000 Subject: [Bro] Just a head up -- there may be a bug in PF_RING/libpcap return bad time values when there are dropped pacckets Message-ID: - - - 1321520562.720025 VD19UEezKk4 xxx.xxx.xxx.xxx 54612 xxx.xxx.xx.xx 22 SSH::Login Heuristically detected successful SSH login. - xxx.xxx.xxx.xxx 129.114.53.21 22 - worker-1 Notice::ACTION_LOG 6 3600.000000 - - - - - - - - - 1.629801e+18 9gzmxQTXPJ3 xxx.xxx.xxx.xx 2055 129.114.50.164 22 SSH::Login Heuristically detected successful SSH login. - xxx.xxx.xxx.xx 129.114.50.164 22 - worker-9 Notice::ACTION_LOG 6 3600.000000 - - - - - - - - - 1.629801e+18 3tlmhveEq7i xxx.xxx.xxx.xx 14870 129.114.53.22 22 SSH::Login Heuristically detected successful SSH login. - xxx.xxx.xxx.xxx 129.114.53.22 22 - worker-9 Notice::ACTION_LOG 6 3600.000000 - - - - - - - - - 1.629801e+18 woMMKkdCqBf xxx.xxx.xxx.xxx 14872 129.114.53.22 22 SSH::Login Heuristically detected successful SSH login. - xxx.xxx.xxx.xxx 129.114.53.22 22 - worker-9 Notice::ACTION_LOG 6 3600.000000 - - - - - - - - - -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111117/9bbaa71e/attachment.html From robin at icir.org Fri Nov 18 07:53:08 2011 From: robin at icir.org (Robin Sommer) Date: Fri, 18 Nov 2011 07:53:08 -0800 Subject: [Bro] Question about port scan detection and raising alarms In-Reply-To: <4EC4BE5E.1080104@lvk.cs.msu.su> References: <4EC4BE5E.1080104@lvk.cs.msu.su> Message-ID: <20111118155308.GF24022@icir.org> On Thu, Nov 17, 2011 at 11:57 +0400, you wrote: > I wonder, is the port scan detection functionality present in bro 2.0, No, the scan detector isn't in there yet. We're planing to rewrite it using the new frameworks, but than didn't make it into 2.0 anymore. We have however ported the 1.5 version over to Bro 2.0 and put it into the contributed scripts repository for now, see here: http://git.bro-ids.org/bro-scripts.git/tree You can download scan.bro from there, put it into your site directory, and then load it from local.bro. The script hasn't seen much testing yet, but it's basically the 1.5 version with a few little pieces updated to the 2.0 API changes. > As a side question: what is the easiest way to test bro's > alarm-triggering? The easiest way would be without any trace at all, just some lines of script code directly triggering an alarm. There are a few tests in the test suite which do that. Try this: bro /testing/btest/scripts/base/frameworks/notice/suppression.bro Then look at notice.log. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From james.swaro at gmail.com Sat Nov 19 11:08:48 2011 From: james.swaro at gmail.com (James Swaro) Date: Sat, 19 Nov 2011 14:08:48 -0500 Subject: [Bro] CMake/Google Perftools CPUProfiler Message-ID: The Google Perftools CPUProfiler (lprofiler) does not seem to be linked into bro when perftools is enabled. Is this an error or is it intentional? Is there an alternate flag available to include the CPU Profiler? configured with --enable-perftools option, rebuilt and installed, no lprofiler exists. $ ldd /usr/local/bro/bin/bro linux-gate.so.1 => (0xb77bf000) libpcap.so.0.8 => /usr/lib/i386-linux-gnu/libpcap.so.0.8 (0xb7770000) libssl.so.1.0.0 => /usr/lib/i686/cmov/libssl.so.1.0.0 (0xb7723000) libcrypto.so.1.0.0 => /usr/lib/i686/cmov/libcrypto.so.1.0.0 (0xb7574000) libz.so.1 => /usr/lib/libz.so.1 (0xb7560000) libtcmalloc.so.0 => /usr/local/lib/libtcmalloc.so.0 (0xb74dc000) libstdc++.so.6 => /usr/lib/i386-linux-gnu/libstdc++.so.6 (0xb73ee000) libm.so.6 => /lib/i386-linux-gnu/i686/cmov/libm.so.6 (0xb73c8000) libgcc_s.so.1 => /lib/i386-linux-gnu/libgcc_s.so.1 (0xb73aa000) libc.so.6 => /lib/i386-linux-gnu/i686/cmov/libc.so.6 (0xb7250000) libpthread.so.0 => /lib/i386-linux-gnu/i686/cmov/libpthread.so.0 (0xb7237000) libdl.so.2 => /lib/i386-linux-gnu/i686/cmov/libdl.so.2 (0xb7233000) /lib/ld-linux.so.2 (0xb77c0000) Thoughts? Thanks! -- *- *James Swaro * * -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111119/0532bf92/attachment.html From gc355804 at ohio.edu Sat Nov 19 13:13:44 2011 From: gc355804 at ohio.edu (Gilbert Clark) Date: Sat, 19 Nov 2011 16:13:44 -0500 Subject: [Bro] CMake/Google Perftools CPUProfiler In-Reply-To: References: Message-ID: <4EC81C08.1050207@ohio.edu> Examining at FindGooglePerftools, looks like it only uses tcmalloc. The attached patch should change this to use tcmalloc_and_profiler instead. James, mind opening an issue for this on the tracker? Thanks, Gilbert On 11/19/2011 2:08 PM, James Swaro wrote: > The Google Perftools CPUProfiler (lprofiler) does not seem to be > linked into bro when perftools is enabled. Is this an error or is it > intentional? > > Is there an alternate flag available to include the CPU Profiler? > > configured with --enable-perftools option, rebuilt and installed, no > lprofiler exists. > > $ ldd /usr/local/bro/bin/bro > linux-gate.so.1 => (0xb77bf000) > libpcap.so.0.8 => /usr/lib/i386-linux-gnu/libpcap.so.0.8 (0xb7770000) > libssl.so.1.0.0 => /usr/lib/i686/cmov/libssl.so.1.0.0 (0xb7723000) > libcrypto.so.1.0.0 => /usr/lib/i686/cmov/libcrypto.so.1.0.0 (0xb7574000) > libz.so.1 => /usr/lib/libz.so.1 (0xb7560000) > libtcmalloc.so.0 => /usr/local/lib/libtcmalloc.so.0 (0xb74dc000) > libstdc++.so.6 => /usr/lib/i386-linux-gnu/libstdc++.so.6 (0xb73ee000) > libm.so.6 => /lib/i386-linux-gnu/i686/cmov/libm.so.6 (0xb73c8000) > libgcc_s.so.1 => /lib/i386-linux-gnu/libgcc_s.so.1 (0xb73aa000) > libc.so.6 => /lib/i386-linux-gnu/i686/cmov/libc.so.6 (0xb7250000) > libpthread.so.0 => /lib/i386-linux-gnu/i686/cmov/libpthread.so.0 > (0xb7237000) > libdl.so.2 => /lib/i386-linux-gnu/i686/cmov/libdl.so.2 (0xb7233000) > /lib/ld-linux.so.2 (0xb77c0000) > > Thoughts? > > Thanks! > > -- > *- *James Swaro * > * > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111119/b2bbeb6d/attachment.html -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: tcmalloc_prof.patch Url: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111119/b2bbeb6d/attachment.ksh From redlamb19 at gmail.com Tue Nov 22 09:19:01 2011 From: redlamb19 at gmail.com (Peter Erickson) Date: Tue, 22 Nov 2011 11:19:01 -0600 Subject: [Bro] Arp Traffic Script Message-ID: <20111122171901.GA2156@does.not.exist> I'm not sure if this of value to anyone, but I thought I'd pass it on. I recently had a need to review arp traffic and re-wrote the old arp.bro policy script to use the new Logging framework in 2.0-beta. I made a few additional changes as well with how the state information is stored. -------------- next part -------------- @load ./main -------------- next part -------------- ##! Analysis of ARP Traffic. ##! This script logs ARP traffic while doing so builds an internal ARP cache ##! that can be used to determine when MAC/IP associations change. # # Abbreviations are taken from RFC 826: # # SHA: source hardware address (i.e., MAC address) # SPA: source protocol address (i.e., IP address) # THA: target hardware address # TPA: target protocol address # @load base/frameworks/notice module ARP; export { redef enum Log::ID += { LOG }; redef enum Notice::Type += { Addl_MAC_Mapping, # another MAC->addr seen beyond just one Bad_ARP_Packet, # bad arp packet received Cache_Inconsistency, # MAC/addr pair seen in request/reply different # from that in the ARP_cache Mapping_Changed, # reply gives different value than previously seen Source_MAC_Mismatch, # source MAC doesn't match mappings Unsolicited_Reply # could be poisoning; or just gratuitous }; type Info: record { ts: time &log; ## The requestor's MAC address. src_mac: string &log &optional; ## The requestor's IP address, if known. This is populated based ## on ARP traffic seen to this point. src_addr: addr &log &optional; ## The responder's MAC address. dst_mac: string &log &optional; ## The responder's IP address, if known. This is populated based ## on ARP traffic seen to this point. dst_addr: addr &log &optional; ## Flag to indicate that a response was unsolicited unsolicited: bool &log &default=F; ## Flag to indicate that a response was never received no_resp: bool &log &default=F; ## The IP address that is requested in the ARP request who_has: addr &log &optional; ## The assocaited MAC address from the ARP response is_at: string &log &optional; }; global log_arp: event(rec: Info); } redef capture_filters += { ["arp"] = "arp" }; global expired_request: function(t: table[string, addr, addr] of Info, idx: any): interval &redef; type State: record { mac_addr: string; ip_addr: addr; assoc_ips: set[addr]; requests: table[string, addr, addr] of Info &create_expire = 1 min &expire_func = expired_request; }; global arp_states: table[string] of State; # ARP responses we've seen: indexed by IP address, yielding MAC address. global ARP_cache: table[addr] of string; # A somewhat general notion of broadcast MAC/IP addresses const broadcast_mac_addrs = { "00:00:00:00:00:00", "ff:ff:ff:ff:ff:ff", }; const broadcast_addrs = { 0.0.0.0, 255.255.255.255, }; # Create a new arp_request record with the given src and dst fields function new_arp_request(mac_src: string, mac_dst: string): Info { local request: Info; request$ts = network_time(); request$src_mac = mac_src; request$dst_mac = mac_dst; return request; } # Create a new state record for the given MAC address function new_arp_state(mac_addr: string): State { local state: State; state$mac_addr = mac_addr; return state; } # Returns the IP address associated with a MAC address, if we've seen one. # Otherwise just returns the MAC address/ function addr_from_mac(mac_addr: string): string { return mac_addr in arp_states ? fmt("%s", arp_states[mac_addr]$ip_addr) : mac_addr; } # Completes an Info record by populating the src and dst IP addresses, if # known, and logs the ARP traffic via the Log framework function log_request(rec: Info) { if ( rec$src_mac in arp_states ) rec$src_addr = arp_states[rec$src_mac]$ip_addr; if ( rec$dst_mac in arp_states ) rec$dst_addr = arp_states[rec$dst_mac]$ip_addr; Log::write(ARP::LOG, rec); } # Expiration function which is called when a ARP request does not receive # a valid response within the expiration timeout period. function expired_request(t: table[string, addr, addr] of Info, idx: any): interval { local SHA: string; local SPA: addr; local TPA: addr; [SHA, SPA, TPA] = idx; local request = t[SHA, SPA, TPA]; request$no_resp = T; log_request(request); return 0 sec; } # Create association between MAC address and an IP address. This is *not* an # association advertised in an ARP reply (those are tracked in ARP_cache), but # instead the pairing of hardware address + protocol address as expressed in # an ARP request or reply header. function mac_addr_association(mac_addr: string, a: addr) { # Ignore broadcast and network addresses (IP and Ethernet) if ( mac_addr in broadcast_mac_addrs || a in broadcast_addrs ) return; # Get state record if ( mac_addr !in arp_states ) arp_states[mac_addr] = new_arp_state(mac_addr); local arp_state = arp_states[mac_addr]; # Determine if MAC has more than 1 associated IP. if ( a !in arp_state$assoc_ips && |arp_state$assoc_ips| > 0 ) NOTICE([$note=Addl_MAC_Mapping, $src=a, $msg=fmt("Additional mapping for MAC address %s found", mac_addr)]); arp_state$ip_addr = a; add arp_state$assoc_ips[a]; if ( a in ARP_cache && ARP_cache[a] != mac_addr ) NOTICE([$note=Cache_Inconsistency, $src=a, $msg=fmt("Mapping for %s to %s doesn't match cache of %s", mac_addr, a, ARP_cache[a])]); } event bro_init() &priority=5 { Log::create_stream(ARP::LOG, [$columns=Info, $ev=log_arp]); } # Bad ARPs can occur when: # - type/size pairs are not OK for HW and L3 addresses (Ethernet=6, IP=4) # - opcode is neither request (1) nor reply (2) # - MAC src address != ARP sender MAC address event bad_arp(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string) { NOTICE([$note=Bad_ARP_Packet, $src=SPA, $msg=fmt("Bad-arp %s(%s) ? %s(%s): %s", SPA, SHA, TPA, THA, explanation)]); } event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string) { mac_addr_association(SHA, SPA); local arp_state: State; arp_state = arp_states[SHA]; # check that ethernet src and arp src are the same local mismatch = SHA != mac_src; if ( mismatch ) NOTICE([$note=Source_MAC_Mismatch, $src=SPA, $msg=fmt("%s -> %s who-has %s", addr_from_mac(mac_src), addr_from_mac(mac_dst), TPA)]); # Create new ARP request and store in state record local request = new_arp_request(mac_src, mac_dst); request$who_has = TPA; arp_state$requests[SHA, SPA, TPA] = request; } event arp_reply(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string) { mac_addr_association(SHA, SPA); mac_addr_association(THA, TPA); local arp_state: State; arp_state = arp_states[THA]; local msg = fmt("%s -> %s: %s is-at %s", addr_from_mac(mac_src), addr_from_mac(mac_dst), SPA, SHA); # Check for source mac mismatch local mismatch = SHA != mac_src; if ( mismatch ) NOTICE([$note=Source_MAC_Mismatch, $src=SPA, $msg=msg]); # Check if reply is unsolicited and get request record local request: Info; if ( [THA, TPA, SPA] !in arp_state$requests ) { request = new_arp_request(THA, SHA); request$unsolicited = T; NOTICE([$note=Unsolicited_Reply, $src=SPA, $msg=fmt("%s: request[%s, %s, %s]", msg, THA, TPA, SPA)]); } else { request = arp_state$requests[THA, TPA, SPA]; delete arp_state$requests[THA, TPA, SPA]; } request$is_at = SHA; # Check reply against current ARP_cache local mapping_changed = SPA in ARP_cache && ARP_cache[SPA] != SHA; if ( mapping_changed ) NOTICE([$note=Mapping_Changed, $src=SPA, $msg=fmt("%s: was %s", msg, ARP_cache[SPA])]); log_request(request); ARP_cache[SPA] = SHA; } From seth at icir.org Tue Nov 22 09:30:09 2011 From: seth at icir.org (Seth Hall) Date: Tue, 22 Nov 2011 12:30:09 -0500 Subject: [Bro] Arp Traffic Script In-Reply-To: <20111122171901.GA2156@does.not.exist> References: <20111122171901.GA2156@does.not.exist> Message-ID: <08348C29-E0B1-49E4-B8C3-98825D62BD9C@icir.org> On Nov 22, 2011, at 12:19 PM, Peter Erickson wrote: > I'm not sure if this of value to anyone, but I thought I'd pass it on. Awesome, thanks! I was going to be bringing the ARP analysis script back soon (maybe for 2.1) and you've made it easier now. I'll make sure you get credit in the CHANGE file when it gets added back. Thanks, .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From redlamb19 at gmail.com Tue Nov 22 10:10:17 2011 From: redlamb19 at gmail.com (Peter Erickson) Date: Tue, 22 Nov 2011 12:10:17 -0600 Subject: [Bro] Arp Traffic Script In-Reply-To: <08348C29-E0B1-49E4-B8C3-98825D62BD9C@icir.org> References: <20111122171901.GA2156@does.not.exist> <08348C29-E0B1-49E4-B8C3-98825D62BD9C@icir.org> Message-ID: <20111122181016.GB2156@does.not.exist> No problem... Glad I could help. I'll make sure to let you know if I make any changes to it. Until then, maybe I'll work on converting some of the others. ** Seth Hall [2011-11-22 12:30:09 -0500] ** > > On Nov 22, 2011, at 12:19 PM, Peter Erickson wrote: > > > I'm not sure if this of value to anyone, but I thought I'd pass it on. > > > Awesome, thanks! I was going to be bringing the ARP analysis script back soon (maybe for 2.1) and you've made it easier now. I'll make sure you get credit in the CHANGE file when it gets added back. > > Thanks, > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > From mdmonk at gmail.com Tue Nov 22 17:00:13 2011 From: mdmonk at gmail.com (Chucky) Date: Tue, 22 Nov 2011 18:00:13 -0700 Subject: [Bro] Build Fail on OS X Lion Message-ID: I'm having some difficulties building the latest Bro 2.0beta on OS X Lion. Bro = v 2.0-beta-47 OS = OS X 10.7.2 Gcc = v i686-apple-darwin11-llvm-gcc-4.2 (GCC) 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2335.15.00) Cmake = 2.8.6 It fails when building netflow_pac.cc.o . Log snippet below. I can provide the full screen output/log if necessary. Any ideas/recommendations are welcome. :) #### Log #### ====================| Bro Build Summary |===================== Install prefix: /usr/local/bro.git Bro Script Path: /usr/local/bro.git/share/bro Debug mode: false CC: /usr/bin/gcc CFLAGS: -Wall -Wno-unused -O2 -g CXX: /usr/bin/c++ CXXFLAGS: -Wall -Wno-unused -O2 -g CPP: /usr/bin/c++ Broccoli: true Broctl: true Aux. Tools: true GeoIP: false Google perftools: false ================================================================ Scanning dependencies of target bro [ 29%] Building CXX object src/CMakeFiles/bro.dir/netflow_pac.cc.o In file included from /DG/BUILD/bro/build/src/netflow_pac.cc:3: /DG/BUILD/bro/build/src/netflow_pac.h:13: error: expected initializer before ?*? token /DG/BUILD/bro/build/src/netflow_pac.cc: In member function ?bool binpac::NetFlow::NetFlow_Flow::deliver_v5_header(binpac::uint16, binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint8, binpac::uint8, binpac::uint16)?: /DG/BUILD/bro/build/src/netflow_pac.cc:158: error: ?mgr? was not declared in this scope /DG/BUILD/bro/build/src/netflow_pac.cc: In member function ?bool binpac::NetFlow::NetFlow_Flow::deliver_v5_record(binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint16, binpac::uint16, binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint16, binpac::uint16, binpac::uint8, binpac::uint8, binpac::uint8, binpac::uint16, binpac::uint16, binpac::uint8, binpac::uint8)?: /DG/BUILD/bro/build/src/netflow_pac.cc:225: error: ?mgr? was not declared in this scope make[3]: *** [src/CMakeFiles/bro.dir/netflow_pac.cc.o] Error 1 make[2]: *** [src/CMakeFiles/bro.dir/all] Error 2 make[1]: *** [all] Error 2 make: *** [all] Error 2 #----------------------------------------------- Chuck Little Security Engineer, Geek GPG key: F14EAD4C GPG fprint: AE4D 367F C946 919B CB8C 5BD0 490D 8B9F F14E AD4C #----------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 163 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111122/48478563/attachment.bin From jsiwek at illinois.edu Wed Nov 23 04:00:13 2011 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Wed, 23 Nov 2011 12:00:13 +0000 Subject: [Bro] Build Fail on OS X Lion In-Reply-To: References: Message-ID: <5C379965-D977-47B1-ACA3-0DB09FD19C3A@illinois.edu> > I'm having some difficulties building the latest Bro 2.0beta on OS X Lion. What are your versions of "flex" and "bison" ? I've built frequently on a similar setup and my versions are flex 2.5.35 and bison (GNU Bison) 2.3. Both are Apple-provided. > It fails when building netflow_pac.cc.o . Log snippet below. I can provide the full screen output/log if necessary. That's a file generated by BinPAC which depends on flex and bison, maybe there's a clue in those netflow_pac.cc and netflow_pac.h files if you could send them. Also, was this working from a git repository or a source distribution? If the former, the output of `git submodule` may help. +Jon From mcholste at gmail.com Wed Nov 23 07:30:56 2011 From: mcholste at gmail.com (Martin Holste) Date: Wed, 23 Nov 2011 09:30:56 -0600 Subject: [Bro] Enterprise Log Search and Archive (ELSA) Beta Available Message-ID: The new auto-installer script is working well enough that I think most people should be able to get the beta of ELSA installed now. I put up a short post with the details and screenshots on my blog here: http://ossectools.blogspot.com/2011/11/elsa-beta-available.html . From the project page (http://code.google.com/p/enterprise-log-search-and-archive/): Features: * High-volume receiving/indexing (a single node can receive > 30k logs/sec, sustained) * Full Active Directory/LDAP integration for authentication, authorization, email settings * Instant ad-hoc reports/graphs on arbitrary queries even on enormous data sets * Email alerting, scheduled reports * Plugin architecture for web interface * Distributed architecture for clusters * Ships with normalization for some Cisco logs, Snort/Suricata, Bro, and Windows via Eventlog-to-Syslog or Snare As shown at the workshop, if you install StreamDB (streamdb.googlecode.com) and note its URL in the web config, you can get instant access to any traffic referred to in a Bro log in two clicks via the "Info" link next to each log entry displayed in a search. There is also a command-line version which outputs tab-delimited lines that you can pipe to other programs, similar to bro-cut. Please let me know if you run into issues installing. Ubuntu, openSUSE, and CentOS have been tested, but variations of those distros should work fine. *BSD is also theoretically possible as all of the underlying components can be compiled on *BSD, but it has not been tested. If you try, let me know how it goes! From mdmonk at gmail.com Wed Nov 23 09:05:28 2011 From: mdmonk at gmail.com (Chucky) Date: Wed, 23 Nov 2011 10:05:28 -0700 Subject: [Bro] Build Fail on OS X Lion In-Reply-To: <5C379965-D977-47B1-ACA3-0DB09FD19C3A@illinois.edu> References: <5C379965-D977-47B1-ACA3-0DB09FD19C3A@illinois.edu> Message-ID: <699FBD5E-C1D4-41AA-9BC5-4F0C37A30EC3@gmail.com> Responses in-line: On Nov 23, 2011, at 5:00 AM, Siwek, Jonathan Luke wrote: >> I'm having some difficulties building the latest Bro 2.0beta on OS X Lion. > > What are your versions of "flex" and "bison" ? > > I've built frequently on a similar setup and my versions are flex 2.5.35 and bison (GNU Bison) 2.3. Both are Apple-provided. > I am using the apple provided flex and bison as well. Flex=v2.5.25, Bison=v2.3. >> It fails when building netflow_pac.cc.o . Log snippet below. I can provide the full screen output/log if necessary. > > That's a file generated by BinPAC which depends on flex and bison, maybe there's a clue in those netflow_pac.cc and netflow_pac.h files if you could send them. > Attached. > Also, was this working from a git repository or a source distribution? If the former, the output of `git submodule` may help. > I am working from the git repo (ver/build 2.0-beta-47) > +Jon Thanks again! -Chuck -------------- next part -------------- A non-text attachment was scrubbed... Name: netflow_pac.cc Type: application/octet-stream Size: 20757 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111123/b3d5561b/attachment.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: netflow_pac.h Type: application/octet-stream Size: 8691 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111123/b3d5561b/attachment-0001.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 163 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111123/b3d5561b/attachment.bin From seth at icir.org Wed Nov 23 12:37:42 2011 From: seth at icir.org (Seth Hall) Date: Wed, 23 Nov 2011 15:37:42 -0500 Subject: [Bro] Enterprise Log Search and Archive (ELSA) Beta Available In-Reply-To: References: Message-ID: On Nov 23, 2011, at 10:30 AM, Martin Holste wrote: > The new auto-installer script is working well enough that I think most > people should be able to get the beta of ELSA installed now. Awesome! I'm looking forward to working with it. Thanks Martin. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From jsiwek at illinois.edu Wed Nov 23 14:18:05 2011 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Wed, 23 Nov 2011 22:18:05 +0000 Subject: [Bro] Build Fail on OS X Lion In-Reply-To: References: Message-ID: <7D23CDF1-840F-45DE-8983-C2D79A0BBB7A@illinois.edu> > > [ 29%] Building CXX object src/CMakeFiles/bro.dir/netflow_pac.cc.o > In file included from /DG/BUILD/bro/build/src/netflow_pac.cc:3: > /DG/BUILD/bro/build/src/netflow_pac.h:13: error: expected initializer before ?*? token > /DG/BUILD/bro/build/src/netflow_pac.cc: In member function ?bool binpac::NetFlow::NetFlow_Flow::deliver_v5_header(binpac::uint16, binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint8, binpac::uint8, binpac::uint16)?: > /DG/BUILD/bro/build/src/netflow_pac.cc:158: error: ?mgr? was not declared in this scope > /DG/BUILD/bro/build/src/netflow_pac.cc: In member function ?bool binpac::NetFlow::NetFlow_Flow::deliver_v5_record(binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint16, binpac::uint16, binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint16, binpac::uint16, binpac::uint8, binpac::uint8, binpac::uint8, binpac::uint16, binpac::uint16, binpac::uint8, binpac::uint8)?: > /DG/BUILD/bro/build/src/netflow_pac.cc:225: error: ?mgr? was not declared in this scope So I didn't notice anything different about your netflow_pac.cc/netflow_pac.h from mine that seemed suspect, but now I'm thinking the errors might be legit (not sure what differs in your environment, though). What happens if you edit your src/netflow.pac to have an %extern block that looks like: %extern{ #include "net_util.h" #include "Event.h" #include "Type.h" extern EventMgr mgr; extern RecordType* conn_id; %} +Jon From mdmonk at gmail.com Wed Nov 23 15:05:07 2011 From: mdmonk at gmail.com (Chuck L.) Date: Wed, 23 Nov 2011 16:05:07 -0700 Subject: [Bro] Build Fail on OS X Lion In-Reply-To: <7D23CDF1-840F-45DE-8983-C2D79A0BBB7A@illinois.edu> References: <7D23CDF1-840F-45DE-8983-C2D79A0BBB7A@illinois.edu> Message-ID: Here's the build log snippet after adding the code you suggested: [ 29%] Building CXX object src/CMakeFiles/bro.dir/netflow_pac.cc.o In file included from /DG/BUILD/bro/build/src/netflow_pac.cc:3: /DG/BUILD/bro/build/src/netflow_pac.h:13: error: expected initializer before ?*? token In file included from /DG/BUILD/bro/build/src/netflow_pac.cc:3: /DG/BUILD/bro/build/src/netflow_pac.h:19: error: ?EventMgr? does not name a type /DG/BUILD/bro/build/src/netflow_pac.cc: In member function ?bool binpac::NetFlow::NetFlow_Flow::deliver_v5_header(binpac::uint16, binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint8, binpac::uint8, binpac::uint16)?: /DG/BUILD/bro/build/src/netflow_pac.cc:158: error: ?mgr? was not declared in this scope /DG/BUILD/bro/build/src/netflow_pac.cc: In member function ?bool binpac::NetFlow::NetFlow_Flow::deliver_v5_record(binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint16, binpac::uint16, binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint16, binpac::uint16, binpac::uint8, binpac::uint8, binpac::uint8, binpac::uint16, binpac::uint16, binpac::uint8, binpac::uint8)?: /DG/BUILD/bro/build/src/netflow_pac.cc:225: error: ?mgr? was not declared in this scope make[3]: *** [src/CMakeFiles/bro.dir/netflow_pac.cc.o] Error 1 make[2]: *** [src/CMakeFiles/bro.dir/all] Error 2 make[1]: *** [all] Error 2 make: *** [all] Error 2 #----------------------------------------------- Chuck Little Security Engineer, Geek GPG key: F14EAD4C GPG fprint: AE4D 367F C946 919B CB8C 5BD0 490D 8B9F F14E AD4C #----------------------------------------------- On Nov 23, 2011, at 3:18 PM, Siwek, Jonathan Luke wrote: >> >> [ 29%] Building CXX object src/CMakeFiles/bro.dir/netflow_pac.cc.o >> In file included from /DG/BUILD/bro/build/src/netflow_pac.cc:3: >> /DG/BUILD/bro/build/src/netflow_pac.h:13: error: expected initializer before ?*? token >> /DG/BUILD/bro/build/src/netflow_pac.cc: In member function ?bool binpac::NetFlow::NetFlow_Flow::deliver_v5_header(binpac::uint16, binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint8, binpac::uint8, binpac::uint16)?: >> /DG/BUILD/bro/build/src/netflow_pac.cc:158: error: ?mgr? was not declared in this scope >> /DG/BUILD/bro/build/src/netflow_pac.cc: In member function ?bool binpac::NetFlow::NetFlow_Flow::deliver_v5_record(binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint16, binpac::uint16, binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint16, binpac::uint16, binpac::uint8, binpac::uint8, binpac::uint8, binpac::uint16, binpac::uint16, binpac::uint8, binpac::uint8)?: >> /DG/BUILD/bro/build/src/netflow_pac.cc:225: error: ?mgr? was not declared in this scope > > So I didn't notice anything different about your netflow_pac.cc/netflow_pac.h from mine that seemed suspect, but now I'm thinking the errors might be legit (not sure what differs in your environment, though). What happens if you edit your src/netflow.pac to have an %extern block that looks like: > > %extern{ > #include "net_util.h" > #include "Event.h" > #include "Type.h" > extern EventMgr mgr; > extern RecordType* conn_id; > %} > > +Jon -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 163 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111123/e47a61bf/attachment.bin From jsiwek at illinois.edu Wed Nov 23 16:00:57 2011 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Thu, 24 Nov 2011 00:00:57 +0000 Subject: [Bro] Build Fail on OS X Lion In-Reply-To: References: <7D23CDF1-840F-45DE-8983-C2D79A0BBB7A@illinois.edu> Message-ID: <5A05ACBC-ECD7-427E-8EE8-54E51A6A0F26@illinois.edu> > > Here's the build log snippet after adding the code you suggested: The errors look even funkier now -- when you added code to net_flow.pac, was it just the two new lines in the %extern block or did you add a whole other block? I meant the former (a single %extern block that looks like what I showed). Also, can you send your build/CMakeCache.txt so I can check the environment? +Jon From mdmonk at gmail.com Wed Nov 23 18:31:20 2011 From: mdmonk at gmail.com (Chuck L.) Date: Wed, 23 Nov 2011 19:31:20 -0700 Subject: [Bro] Build Fail on OS X Lion In-Reply-To: <5A05ACBC-ECD7-427E-8EE8-54E51A6A0F26@illinois.edu> References: <7D23CDF1-840F-45DE-8983-C2D79A0BBB7A@illinois.edu> <5A05ACBC-ECD7-427E-8EE8-54E51A6A0F26@illinois.edu> Message-ID: <1FCE8EF5-A80B-4249-9F77-DEA699B3B801@gmail.com> My bad. I had created another Extern struct. I changed it to your recommendations. Log snippet follows: Scanning dependencies of target bro [ 25%] Building C object src/CMakeFiles/bro.dir/version.c.o [ 26%] Building CXX object src/CMakeFiles/bro.dir/binpac-lib_pac.cc.o [ 26%] Building CXX object src/CMakeFiles/bro.dir/binpac_bro-lib_pac.cc.o [ 26%] Building CXX object src/CMakeFiles/bro.dir/bittorrent_pac.cc.o [ 26%] Building CXX object src/CMakeFiles/bro.dir/dce_rpc_pac.cc.o [ 27%] Building CXX object src/CMakeFiles/bro.dir/dce_rpc_simple_pac.cc.o [ 27%] Building CXX object src/CMakeFiles/bro.dir/dhcp_pac.cc.o [ 27%] Building CXX object src/CMakeFiles/bro.dir/dns_pac.cc.o [ 27%] Building CXX object src/CMakeFiles/bro.dir/dns_tcp_pac.cc.o [ 27%] Building CXX object src/CMakeFiles/bro.dir/http_pac.cc.o [ 29%] Building CXX object src/CMakeFiles/bro.dir/ncp_pac.cc.o [ 29%] Building CXX object src/CMakeFiles/bro.dir/netflow_pac.cc.o In file included from /DG/BUILD/bro/build/src/netflow_pac.cc:3: /DG/BUILD/bro/build/src/netflow_pac.h:14: error: ?EventMgr? does not name a type /DG/BUILD/bro/build/src/netflow_pac.cc: In member function ?bool binpac::NetFlow::NetFlow_Flow::deliver_v5_header(binpac::uint16, binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint8, binpac::uint8, binpac::uint16)?: /DG/BUILD/bro/build/src/netflow_pac.cc:158: error: ?mgr? was not declared in this scope /DG/BUILD/bro/build/src/netflow_pac.cc: In member function ?bool binpac::NetFlow::NetFlow_Flow::deliver_v5_record(binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint16, binpac::uint16, binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint16, binpac::uint16, binpac::uint8, binpac::uint8, binpac::uint8, binpac::uint16, binpac::uint16, binpac::uint8, binpac::uint8)?: /DG/BUILD/bro/build/src/netflow_pac.cc:225: error: ?mgr? was not declared in this scope make[3]: *** [src/CMakeFiles/bro.dir/netflow_pac.cc.o] Error 1 make[2]: *** [src/CMakeFiles/bro.dir/all] Error 2 make[1]: *** [all] Error 2 make: *** [all] Error 2 #----------------------------------------------- Chuck Little Security Engineer, Geek GPG key: F14EAD4C GPG fprint: AE4D 367F C946 919B CB8C 5BD0 490D 8B9F F14E AD4C c: 303-898-4997 #----------------------------------------------- On Nov 23, 2011, at 5:00 PM, Siwek, Jonathan Luke wrote: >> >> Here's the build log snippet after adding the code you suggested: > > The errors look even funkier now -- when you added code to net_flow.pac, was it just the two new lines in the %extern block or did you add a whole other block? I meant the former (a single %extern block that looks like what I showed). > > Also, can you send your build/CMakeCache.txt so I can check the environment? > > +Jon -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 163 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111123/0b254803/attachment.bin From jsiwek at illinois.edu Thu Nov 24 03:36:10 2011 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Thu, 24 Nov 2011 11:36:10 +0000 Subject: [Bro] Build Fail on OS X Lion In-Reply-To: <1FCE8EF5-A80B-4249-9F77-DEA699B3B801@gmail.com> References: <7D23CDF1-840F-45DE-8983-C2D79A0BBB7A@illinois.edu> <5A05ACBC-ECD7-427E-8EE8-54E51A6A0F26@illinois.edu> <1FCE8EF5-A80B-4249-9F77-DEA699B3B801@gmail.com> Message-ID: > /DG/BUILD/bro/build/src/netflow_pac.h:14: error: ?EventMgr? does not name a type Ok, I think header files are getting overshadowed somewhere (if you do `make VERBOSE=1`, you can see the order of -I options given to the compiler and look in those directories for Event.h, Type.h, etc.). I'd like to try another change; at the top of src/CMakeLists.txt there's: include_directories(${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR} ) Change it to be the following ("BEFORE" is the only difference): include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR} ) +Jon From mdmonk at gmail.com Thu Nov 24 12:11:59 2011 From: mdmonk at gmail.com (Chuck L.) Date: Thu, 24 Nov 2011 13:11:59 -0700 Subject: [Bro] Build Fail on OS X Lion In-Reply-To: References: <7D23CDF1-840F-45DE-8983-C2D79A0BBB7A@illinois.edu> <5A05ACBC-ECD7-427E-8EE8-54E51A6A0F26@illinois.edu> <1FCE8EF5-A80B-4249-9F77-DEA699B3B801@gmail.com> Message-ID: <261B6202-0911-418D-B3A0-07B777BDCD3E@gmail.com> That change (BEFORE in src/CMakeLists.txt) did the trick. The build completed successfully. To be sure, I made a fresh clone of the bro git repo, tried to build without changing src/CMakeLists.txt, and the build failed. Then I made the change to src/CMakeLists.txt, and the build succeeded. No mod to netflow.pac in either build attempt. I still wonder what is out of the ordinary on my system. I'll check into it further when I get the chance. Thanks for your help Jon! #----------------------------------------------- Chuck Little Security Engineer, Geek GPG key: F14EAD4C GPG fprint: AE4D 367F C946 919B CB8C 5BD0 490D 8B9F F14E AD4C #----------------------------------------------- On Nov 24, 2011, at 4:36 AM, Siwek, Jonathan Luke wrote: >> /DG/BUILD/bro/build/src/netflow_pac.h:14: error: ?EventMgr? does not name a type > > Ok, I think header files are getting overshadowed somewhere (if you do `make VERBOSE=1`, you can see the order of -I options given to the compiler and look in those directories for Event.h, Type.h, etc.). I'd like to try another change; at the top of src/CMakeLists.txt there's: > > include_directories(${CMAKE_CURRENT_SOURCE_DIR} > ${CMAKE_CURRENT_BINARY_DIR} > ) > > Change it to be the following ("BEFORE" is the only difference): > > include_directories(BEFORE > ${CMAKE_CURRENT_SOURCE_DIR} > ${CMAKE_CURRENT_BINARY_DIR} > ) > > > +Jon -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 163 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111124/d3200a6b/attachment.bin From jsiwek at illinois.edu Thu Nov 24 14:40:37 2011 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Thu, 24 Nov 2011 22:40:37 +0000 Subject: [Bro] Build Fail on OS X Lion In-Reply-To: <261B6202-0911-418D-B3A0-07B777BDCD3E@gmail.com> References: <7D23CDF1-840F-45DE-8983-C2D79A0BBB7A@illinois.edu> <5A05ACBC-ECD7-427E-8EE8-54E51A6A0F26@illinois.edu> <1FCE8EF5-A80B-4249-9F77-DEA699B3B801@gmail.com> <261B6202-0911-418D-B3A0-07B777BDCD3E@gmail.com> Message-ID: <5DDBD45E-7AB1-4BC0-812B-AC6EF3D89971@illinois.edu> > To be sure, I made a fresh clone of the bro git repo, tried to build without changing src/CMakeLists.txt, and the build failed. Then I made the change to src/CMakeLists.txt, and the build succeeded. No mod to netflow.pac in either build attempt. Thanks for confirming that. I'm going to get that change into the git repo since that's a "righter" way to order the include directories anyway. > I still wonder what is out of the ordinary on my system. I'll check into it further when I get the chance. I'm guessing you had built/installed some software locally (/usr/local, /opt/local, or /sw) that provided headers of the same name as what Bro needed (Event.h, Type.h) and so the compiler picked up those. Not that it's "wrong", just different. +Jon From harish_64 at yahoo.com Sat Nov 26 21:43:55 2011 From: harish_64 at yahoo.com (Harish kanakaraju) Date: Sun, 27 Nov 2011 00:43:55 -0500 Subject: [Bro] Netflow and Bro Message-ID: <235FFEA9-E8AA-4398-BCF4-BA2028345495@yahoo.com> Hi, I am new to Bro IDS, I wanted to know if Bro can be used to detect portscan or Denial of service using the netflow data collected from a router. If yes, I am able to use bro as netflow collector now but i am unable to proceed after this point. Should I use the existing scripts on the netflow data to detect the the threats ? or should i write my own scripts? Regards, Harish From robin at icir.org Mon Nov 28 08:40:34 2011 From: robin at icir.org (Robin Sommer) Date: Mon, 28 Nov 2011 08:40:34 -0800 Subject: [Bro] Netflow and Bro In-Reply-To: <235FFEA9-E8AA-4398-BCF4-BA2028345495@yahoo.com> References: <235FFEA9-E8AA-4398-BCF4-BA2028345495@yahoo.com> Message-ID: <20111128164034.GF51767@icir.org> On Sun, Nov 27, 2011 at 00:43 -0500, you wrote: > I am able to use bro as netflow collector now but i am unable to > proceed after this point. Should I use the existing scripts on the > netflow data to detect the the threats ? or should i write my own > scripts? Currently, we don't have any Bro scripts for NetFlow processing, so you'll need to write your own ones. Feeding NetFlow into the existing scripts (which would be mainly the scan detection I think) would probably be tricky as the scan.bro code (from 1.5) is already quite complex. We're planing to migrate that over to the new Metrics framework. That would probably also be the best starting point with NetFlow. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From jmerit.jd at gmail.com Tue Nov 29 06:55:05 2011 From: jmerit.jd at gmail.com (John Merit) Date: Tue, 29 Nov 2011 16:55:05 +0200 Subject: [Bro] BRO 2.0 - SMTP - Saving file attachments causing many packet Drops Message-ID: Hello, I moved to BRO 2.0 few days ago, so far it works great. I am testing the SMTP write file to disk feature (entities.bro) which also works great on file attachments. Due to load on my machine (60mbps) there are packet drops which causes the file assembly to be corrupted (BRO is running on tap and not in-line). I suspect that the drops are caused by the excessive I/O when writing these attachments to disk. I decided to optimize bro to get rid of the drops: - I disabled all the scripts in init-default.bro (beside smtp) and also logging capabilities. - Increased the system allocated buffer size in setvbuf() (BroFile::SetBuf - File.cc) - Writing the file into tmpfs instead of the local directory I am still suffering drops. Am i doing something wrong? is there anyway to optimize it even better to get rid of the drops? Thank You, JD -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111129/455aa9d6/attachment.html From seth at icir.org Tue Nov 29 09:33:40 2011 From: seth at icir.org (Seth Hall) Date: Tue, 29 Nov 2011 12:33:40 -0500 Subject: [Bro] BRO 2.0 - SMTP - Saving file attachments causing many packet Drops In-Reply-To: References: Message-ID: <0EEA2DD3-3AD8-4E2D-821E-F2A2F7ED15D4@icir.org> On Nov 29, 2011, at 9:55 AM, John Merit wrote: > I am testing the SMTP write file to disk feature (entities.bro) which also works great on file attachments. Glad to hear that's working for you. > Am i doing something wrong? is there anyway to optimize it even better to get rid of the drops? If you are using broctl, in your broctl.cfg file add the line (then install and restart in broctl)? broargs = -l 9800 We have been seeing problems with the beta in some cases with packet loss at fairly low packet load which we are planning to address for the final release but reducing the snap length has typically been fixing it for people. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111129/e856f62f/attachment.bin From seth at icir.org Tue Nov 29 21:56:21 2011 From: seth at icir.org (Seth Hall) Date: Wed, 30 Nov 2011 00:56:21 -0500 Subject: [Bro] Workshop materials Message-ID: We have slides, videos, exercises, and exercise solutions posted on our website now from the recent workshop. There's lots of material there to look through, please let us know if you encounter any problems with it. http://www.bro-ids.org/bro-workshop-2011/index.html .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111130/c9a762d5/attachment.bin From mcholste at gmail.com Wed Nov 30 20:22:09 2011 From: mcholste at gmail.com (Martin Holste) Date: Wed, 30 Nov 2011 22:22:09 -0600 Subject: [Bro] ELSA Google Group Message-ID: Just a quick note for those of you using or interested in ELSA, I created a Google Group for it at https://groups.google.com/group/enterprise-log-search-and-archive . Still feel free to email me directly for help, but I created the group so that the questions and answers might be visible to others searching on Google for help. Thanks, Martin