[Bro] [security-onion] Bro and Myricom
Seth Hall
seth at icir.org
Tue Jul 23 10:44:21 PDT 2013
On Jul 23, 2013, at 12:06 PM, Michal Purzynski <michal at rsbac.org> wrote:
> I've thrown about 1.5Gbit of traffic on the host, give it or take 500Mbit.
>
> 12 workers. Bro from the svn (oh well).
Hm, are you using our git repository? Or are you using some old version from our subversion repository that still exists (but hasn't been touched for a long time)?
> Myricom support told me to:
>
> "And also make sure that you are using the latest Bro 2.0 and that the Sniffer environment flags are set in /usr/local/bro/lib/broctl/BroControl/control.py:
>
> env += " SNF_NUM_RINGS=12 SNF_FLAGS=0x1"
> "
What?!? Myricom support is telling people that! That's not the right way to do it (with 2.1 and we don't really support 2.0 anymore).
[worker1]
type=worker
host=1.2.3.4
interface=eth0
lb_method=myricom
lb_procs=12
That's how you should be doing it in node.cfg. No changes in python are required.
Would you mind putting me in touch with whomever you contacted at Myricom support?
> I've also recompilled Bro against the vendor provided pcap lib. So far so good.
Could you paste the exact configure flags you used?
> fatal error in /opt/bro/share/bro/policy/frameworks/software/vulnerable.bro, line 41: BroType::AsRecordType (table/record) (set[record { min:record { major:count; minor:count; minor2:count; minor3:count; addl:string; }; max:record { major:count; minor:count; minor2:count; minor3:count; addl:string; }; }])
It looks like you may have something out of date, but I'm not really sure what's causing this error.
Could you please move discussions like this over to the Bro mailing list too? This thread is solidly Bro and not exactly related to SO.
Thanks,
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list