[Bro] Weird stuff in weird.log?

Kim Halavakoski kim at blackcatsec.net
Sun Apr 21 04:15:38 PDT 2013 

Peter,
I was about to ask the list if splitting up interfaces / VLANs / snooping-points in different workers would fix it, but it seems you have done that and are still seeing the same weirdness. 

May I ask what was your reason for having 3 workers and a proxy? I am still new to how to design and setup Bro with all the features it has...



Best regards,

Kim Halavakoski

Sent from my mobile device, excuse my clawfingerness!

Mobile N#: +358 [0] 40 702 7844
PGP S#: 0BFA A910 9AA7 94A5 A323  53F5 4151 4CE4 33BE 35FA
http://www.blackcatsec.net

On 21 apr 2013, at 13:23, Peter Franzel <pfranzel at t-online.de> wrote:

> I am experiencing the same problem in the weired.log here as using one interface defined for the WAN and one for the LAN traffic (between there is a firewall and a loadbalancer with ssl-offload). 
> I am using the following node configuration: 
> 
> [manager]
> type=manager
> host=10.XX.XX.11
>  
> [proxy-1]
> type=proxy
> host=10.XX.XX.11
>  
> [worker-1]      --> WAN Connection
> type=worker
> host=10.XX.XX.11
> interface=p6p1
> lb_method=pf_ring
> lb_procs=8
>  
> [worker-2]      --> LAN Connection
> type=worker
> host=10.XX.XX.11
> interface=p6p2
> lb_method=pf_ring
> lb_procs=8
>  
> [worker-3]     --> dedicated line between two DCs
> type=worker
> host=10.XX.XX.11
> interface=bond0
> ...
> 
> Question: What I meaningfully should do to get rid of this:
> --> Running one bro cluster/instance for each interface?
> --> Or is there are way to do it by an other configuration change?
> 
> Peter
> 
> Am 21.04.2013 11:05, schrieb Vern Paxson:
>>> I suspect that it is due to the fact that I am spanning
>>> multiple VLANs that Bro sees, with traffic both before and after
>>> loabalancers and NATs etc. so it kind-of sees the whole chain of packets
>>> from outside the firewall, before / after loadbalancer behind firewall
>>> and finally the traffic behind the loadbalancers/firewalls...would that
>>> in some way explain the weird.log stuff shown here?
>> That for sure would explain these sorts of "weird" messages, since they
>> all relate to Bro reporting that it's not seeing a single consistent
>> picture of (bidirectional) network flows.
>> 
>> 		Vern
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130421/7d8c7a04/attachment.html

More information about the Bro mailing list