[Bro] Multiple interfaces on 2.2-beta-4
Jesse Bowling
jessebowling at gmail.com
Thu Sep 26 19:55:21 PDT 2013
I'll also bring up the case of using PF_RING with Bro...In that case it
seems the way to do it is to use the PF_RING specific interface notation:
interface=p2p1\;p2p2\;p2p3\;p2p4
and then let the workers split up the stream as required. I seem to
remember also having to modify a bash script in Bro (and having written to
the list about it) in order to get this notation passed through
properly...I suppose it's time to see if this new version requires the same
tweaking. :)
Cheers,
Jesse
On Thu, Sep 26, 2013 at 10:37 PM, Justin Azoff <JAzoff at albany.edu> wrote:
> On Thu, Sep 26, 2013 at 10:27:29PM -0400, Seth Hall wrote:
> > I guess I don't really know what to say, sniffing multiple interfaces
> was never something we actually supported when you run Bro with broctl and
> we continue not to support it. Generally we recommend merging multiple
> streams of traffic upstream of where Bro receives the packets.
>
> What about with something like:
>
> [worker-1]
> type=worker
> host=localhost
> interface=eth0
>
> [worker-2]
> type=worker
> host=localhost
> interface=eth1
>
> as long as those aren't half streams from a tap, that should work,
> right?
>
> --
> -- Justin Azoff
> -- Network Security & Performance Analyst
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
--
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130926/da8a43cd/attachment.html
More information about the Bro
mailing list