[Bro] newbie questions...
Seth Hall
seth at icir.org
Wed Aug 21 16:36:25 PDT 2013
Hi Russell!
On Aug 21, 2013, at 7:06 PM, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
> For the record I am running on a 16 core box running Ubuntu SPC and using the binary from SO (but not the SO config or scripts).
Why's that?
> I have suricata set up to use cores 10-15 — is there a straight forward way to assign bro to particular cores or should I just use open slather for everything?
In the 2.2 release that is coming soon there is a new config option for node.cfg where you can pin processes. It will make your worker configs look like this…
[worker-1]
type=worker
host=1.2.3.4
interface=eth2
lb_method=pf_ring
lb_procs=10
pin_cpus=2,3,4,5,6,7,8,9,10,11
I think that's a pretty straight forward configuration, but let me know if there isn't anything clear in it or if you have questions. You will only need to configure a single worker like that to load balance traffic on that host with the configured interface. broctl will create all of the worker processes it needs.
> I have assumed that the SO version of bro will use pf_ring by default? or do I need to do something to get bro to use pf_ring?
I put it in the config above, you just need to make sure you have all of the pf_ring bits installed. I'm a little unsure how different what you're running is from securityonion so I'm not sure I can authoritatively answer your question.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130821/1bc87558/attachment.bin
More information about the Bro
mailing list