[Bro] First time Bro Cluster Spin up

Schoenefeld, Keith P. Keith_Schoenefeld at baylor.edu
Mon Nov 17 12:22:05 PST 2014 

You must be running this on Linux as a user other than root (good for you).  Run this command on each of the cluster nodes:

setcap cap_net_raw,cap_net_admin=eip /opt/bro/bin/bro && setcap cap_net_raw,cap_net_admin=eip /opt/bro/bin/capstats

I'd give credit if I could recall where I found this, I found it on a website somewhere.  I blame Seth Hall.

Note that you'll have to do this every time you push cluster config changes as well.

-- KS

Keith Schoenefeld
Information Security Analyst
Baylor University
254-710-6667


-----Original Message-----
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Dawson,Scottie
Sent: Monday, November 17, 2014 2:05 PM
To: bro at bro-ids.org
Subject: [Bro] First time Bro Cluster Spin up

Hi.  

 

I am attempting to get a Bro cluster working and I get the following error for all my workers, (full output of diag below).   "fatal error: /usr/local/bro/bin/bro: problem with interface dag0:42 - pcap_open_live: dag0:42: dag_open /dev/dag0: Permission denied" 

 

Thoughts on what I am missing?

 

 

Config:

I have an Endace DAG8.1SX set up to run with 22 streams.

1 Server set up to have 22 instances of BRO workers on it

1 server set up as the manager and prox

Using     libpcap-1.6.2

                dag-5.2.0.

                bro version 2.3.1

 

 

 

TS:

 

1.       I have run the following command on both the worker and the manager/proxy servers.

 

sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bro/bin/bro

 

2.       I can launch bro manually on the worker if I use sudo

 

acns-bro at endace:/usr/local/bro/bin$ sudo ./bro -i dag0:42

listening on dag0:42, capture length 8192 bytes

 

^C1416254260.140036 received termination signal

1416254260.140036 209 packets received on interface dag0:42, 0 dropped

 

3.       Manipulated the user launching bro (acns-bro) group permissions to be in the adm group

 

 

 

FULL OUTPUT of DIAG:

BroControl] > diag worker-21

[worker-21]

 

Bro 2.3.1

Linux 3.13.0-39-generic

 

 

==== No reporter.log

 

==== stderr.log

[dag_open] dag_clone dagfd for dagiom: Permission denied

fatal error: /usr/local/bro/bin/bro: problem with interface dag0:42 - pcap_open_live: dag0:42: dag_open /dev/dag0: Permission denied

 

 

==== stdout.log

max memory size         (kbytes, -m) unlimited

data seg size           (kbytes, -d) unlimited

virtual memory          (kbytes, -v) unlimited

core file size          (blocks, -c) unlimited

 

==== .cmdline

-i dag0:42 -U .status -p broctl -p broctl-live -p local -p worker-21 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto

 

==== .env_vars

PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games

BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site

CLUSTER_NODE=worker-21

 

==== .status

TERMINATED [atexit]

 

==== No prof.log

 

==== No packet_filter.log

 

==== No loaded_scripts.log

 

 

 

Scott Dawson
ACNS Network Security

Colorado State University
970-297-3712

 

"chop wood carry water"

More information about the Bro mailing list