[Bro] Worker configuration in Bro cluster
Seth Hall
seth at icir.org
Tue Nov 11 08:02:20 PST 2014
> On Nov 11, 2014, at 3:26 AM, Po-Ching Lin <pachinko.tw at gmail.com> wrote:
>
> We intend to deploy a Bro cluster, in which the workers will get packets
> from another program via pipe, instead of capturing packets directly from a
> network interface. In case of a standalone deployment, we know it is trivial
> to achieve by the command such as "prog | bro -r -", where prog outputs
> packets to stdout. However, what should we configure the workers (or the
> manager) if the workers are to be launched from the manager through broctl?
> Thanks a lot.
Hm, that is a new challenge. BroControl really isn't meant for that kind of behavior. It's possible you could dig into it and make changes that would make it work. What I would possibly look into instead is testing our upcoming packet-bricks[1] tool. It uses netmap to pass packets around very efficiently and there is a new netmap feature called "pipes" (works on Linux and it's including in the upcoming FreeBSD 10.1) that it uses to pass packets to userland applications as sort of virtual interfaces. I would recommend going this route because you should get significantly better performance passing packets through packet-bricks than if you are actually passing packets through pipes.
Here is a link to packet-bricks:
https://github.com/bro/packet-bricks
Let me know if you need help figuring out anything about it and I can either help you or point you in the right direction.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list