[Bro] Bro 2.0 packets dropped
Seth Hall
seth at icir.org
Fri Feb 10 07:26:48 PST 2012
On Feb 10, 2012, at 9:49 AM, Machiel van Veen wrote:
> On Friday 10 February 2012 15:25:04 Seth Hall wrote:
>> On Feb 10, 2012, at 3:12 AM, Machiel van Veen wrote:
>>> Is there any configuration apart from configuring the manager, proxy and
>>> workers in node.cfg done in Bro to get this working?
>>
>> Could you send me the content of your node.cfg and broctl.cfg files? This
>> is fortunate timing, I've been preparing a blog post about using PF_Ring
>> load balancing with Bro and it would be good to find out if there are any
>> problems with it.
>>
>> .Seth
>
> I'm using the following in node.cfg:
That seems fine.
> And these settings in broctl.cfg:
>
> MailTo = root at localhost
> SitePolicyStandalone = local.bro
> SpoolDir = /var/opt/bro/spool
> LogDir = /var/opt/bro/logs
> LogRotationInterval = 3600
> MinDiskSpace = 5
> Debug = 1
It looks like you are missing the setting that turns on the pf_ring clustering support. If you built against the pf_ring libpcap wrapper it should have been put in there automatically (unless you installed over top of a previous installation?).
Add this to your broctl.cfg and do "check", "install", "restart" in broctl.
PFRingClusterId = 21
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list