[Bro] Weird stuff in weird.log?
Peter Franzel
pfranzel at t-online.de
Sun Apr 21 03:23:20 PDT 2013
I am experiencing the same problem in the weired.log here as using one
interface defined for the WAN and one for the LAN traffic (between there
is a firewall and a loadbalancer with ssl-offload).
I am using the following node configuration:
[manager]
type=manager
host=10.XX.XX.11
[proxy-1]
type=proxy
host=10.XX.XX.11
[worker-1] --> WAN Connection
type=worker
host=10.XX.XX.11
interface=p6p1
lb_method=pf_ring
lb_procs=8
[worker-2] --> LAN Connection
type=worker
host=10.XX.XX.11
interface=p6p2
lb_method=pf_ring
lb_procs=8
[worker-3] --> dedicated line between two DCs
type=worker
host=10.XX.XX.11
interface=bond0
...
Question: What I meaningfully should do to get rid of this:
--> Running one bro cluster/instance for each interface?
--> Or is there are way to do it by an other configuration change?
Peter
Am 21.04.2013 11:05, schrieb Vern Paxson:
>> I suspect that it is due to the fact that I am spanning
>> multiple VLANs that Bro sees, with traffic both before and after
>> loabalancers and NATs etc. so it kind-of sees the whole chain of packets
>> from outside the firewall, before / after loadbalancer behind firewall
>> and finally the traffic behind the loadbalancers/firewalls...would that
>> in some way explain the weird.log stuff shown here?
> That for sure would explain these sorts of "weird" messages, since they
> all relate to Bro reporting that it's not seeing a single consistent
> picture of (bidirectional) network flows.
>
> Vern
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130421/b909545b/attachment.html
More information about the Bro
mailing list