[Bro] newbie questions...

Russell Fulton r.fulton at auckland.ac.nz
Wed Aug 21 17:48:59 PDT 2013 

Hi Seth,  nice to chat with you again!  I did get there in the end :)

Actually the biggest constraint was getting hardware capable of doing everything I wanted.

On 22/08/2013, at 11:36 AM, Seth Hall <seth at icir.org> wrote:

> Hi Russell!
> 
> On Aug 21, 2013, at 7:06 PM, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
> 
>> For the record I am running on a 16 core box running Ubuntu SPC and using the binary from SO (but not the SO config or scripts).
> 
> Why's that?

I am managing the sensors using puppet — all the config data, rule files, etc are all managed from a manager box which runs puppet. Using the SO .deb package frees me from having to fiddle around managing binary distros of the software I needed.  I figure that SO keep close enough to the bleeding edge for me ;)  The OS stuff is also managed by puppet — my puppet server mirrors the config from our central puppet server. 

I have been using this arrangement for several years and the most painful part was always upgrading the various sensor binaries.  Puppet really assumes you have native package for all your software.  I see there are .debs on the download server — is there an apt repository I can get them from too?

That still leaves argus for which there are no up to date official binary packages.  But SO does have them.

> 
>> I have suricata set up to use cores 10-15 — is there a straight forward way to assign bro to particular cores or should I just use open slather for everything?
> 
> In the 2.2 release that is coming soon there is a new config option for node.cfg where you can pin processes.  It will make your worker configs look like this…
> 
> [worker-1]
> type=worker
> host=1.2.3.4
> interface=eth2
> lb_method=pf_ring
> lb_procs=10
> pin_cpus=2,3,4,5,6,7,8,9,10,11
> 
> I think that's a pretty straight forward configuration, but let me know if there isn't anything clear in it or if you have questions.  You will only need to configure a single worker like that to load balance traffic on that host with the configured interface.  broctl will create all of the worker processes it needs.
> 

Even I can deal with that :)  AT the moment I have entries for worker 1-4.

I've added the pf_ring spec to each of them.

>> I have assumed that the SO version of bro will use pf_ring by default? or do I need to do something to get bro to use pf_ring?
> 
> I put it in the config above, you just need to make sure you have all of the pf_ring bits installed.  I'm a little unsure how different what you're running is from securityonion so I'm not sure I can authoritatively answer your question.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4637 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130822/f2c8f830/attachment.bin

More information about the Bro mailing list