[Bro] First time Bro Cluster Spin up

Mike Patterson mike.patterson at uwaterloo.ca
Tue Nov 18 12:34:34 PST 2014 

Just FYI, I run a DAG 9.2 here - in the past, I’ve run into situations where a crashing worker (or Snort process) will “lock” its stream. I usually do a cold power off in those situations, as a reboot didn’t always seem to clear it. I don’t know if that’s what you ran into, but it’s something to keep in mind anyway.

It’s not clear to me - did you manage to get it working as non-root then?

Mike

-- 
Simple, clear purpose and principles give rise to complex and
intelligent behavior. Complex rules and regulations give rise
to simple and stupid behavior. - Dee Hock

> On Nov 18, 2014, at 2:22 PM, Dawson,Scottie <scottie.Dawson at colostate.edu> wrote:
> 
> It was the Endace Capture card.
> 
>  
> 
> scott
> 
>  
> 
> "chop wood carry water"
> 
>  
> 
> From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Dawson,Scottie
> Sent: Tuesday, November 18, 2014 7:17 AM
> To: bro at bro-ids.org
> Subject: Re: [Bro] First time Bro Cluster Spin up
> 
>  
> 
> Thank you both John and Keith for the suggestions.  I rebooted the server for good measure and re-ran the setcap command, with the same results in broctl.
> 
>  
> 
> worker-21 terminated immediately after starting; check output with "diag"
> 
>  
> 
> …..
> 
>  
> 
> Diag worker-21
> 
>  
> 
>> 
> ….
> 
> ==== stderr.log
> 
> fatal error: /usr/local/bro/bin/bro: problem with interface dag0:42 - pcap_open_live: dag0:42: dag_open /dev/dag0: Permission denied
> 
>  
> 
> …….
> 
>  
> 
>  
> 
> Is anyone using an Endace card in there cluster?  I am starting to suspect that the permissions issue has to do with how I am configuring and launching the capture card.  I am going to reach out to their support organization and see if there is a way to launch the card as a non root user.
> 
>  
> 
> I am sure I can get all this working with root but I am trying to avoid that.
> 
>  
> 
> Thanks again
> 
>  
> 
> scott
> 
>  
> 
> "chop wood carry water"
> 
>  
> 
> From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Dawson,Scottie
> Sent: Monday, November 17, 2014 1:05 PM
> To: bro at bro-ids.org
> Subject: [Bro] First time Bro Cluster Spin up
> 
>  
> 
> Hi. 
> 
>  
> 
> I am attempting to get a Bro cluster working and I get the following error for all my workers, (full output of diag below).   “fatal error: /usr/local/bro/bin/bro: problem with interface dag0:42 - pcap_open_live: dag0:42: dag_open /dev/dag0: Permission denied”
> 
>  
> 
> Thoughts on what I am missing?
> 
>  
> 
>  
> 
> Config:
> 
> I have an Endace DAG8.1SX set up to run with 22 streams.
> 
> 1 Server set up to have 22 instances of BRO workers on it
> 
> 1 server set up as the manager and prox
> 
> Using     libpcap-1.6.2
> 
>                 dag-5.2.0.
> 
>                 bro version 2.3.1
> 
>  
> 
>  
> 
>  
> 
> TS:
> 
>  
> 
> 1.       I have run the following command on both the worker and the manager/proxy servers.
> 
>  
> 
> sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bro/bin/bro
> 
>  
> 
> 2.       I can launch bro manually on the worker if I use sudo
> 
>  
> 
> acns-bro at endace:/usr/local/bro/bin$ sudo ./bro -i dag0:42
> 
> listening on dag0:42, capture length 8192 bytes
> 
>  
> 
> ^C1416254260.140036 received termination signal
> 
> 1416254260.140036 209 packets received on interface dag0:42, 0 dropped
> 
>  
> 
> 3.       Manipulated the user launching bro (acns-bro) group permissions to be in the adm group
> 
>  
> 
>  
> 
>  
> 
> FULL OUTPUT of DIAG:
> 
> BroControl] > diag worker-21
> 
> [worker-21]
> 
>  
> 
> Bro 2.3.1
> 
> Linux 3.13.0-39-generic
> 
>  
> 
>  
> 
> ==== No reporter.log
> 
>  
> 
> ==== stderr.log
> 
> [dag_open] dag_clone dagfd for dagiom: Permission denied
> 
> fatal error: /usr/local/bro/bin/bro: problem with interface dag0:42 - pcap_open_live: dag0:42: dag_open /dev/dag0: Permission denied
> 
>  
> 
>  
> 
> ==== stdout.log
> 
> max memory size         (kbytes, -m) unlimited
> 
> data seg size           (kbytes, -d) unlimited
> 
> virtual memory          (kbytes, -v) unlimited
> 
> core file size          (blocks, -c) unlimited
> 
>  
> 
> ==== .cmdline
> 
> -i dag0:42 -U .status -p broctl -p broctl-live -p local -p worker-21 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
> 
>  
> 
> ==== .env_vars
> 
> PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
> 
> BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site
> 
> CLUSTER_NODE=worker-21
> 
>  
> 
> ==== .status
> 
> TERMINATED [atexit]
> 
>  
> 
> ==== No prof.log
> 
>  
> 
> ==== No packet_filter.log
> 
>  
> 
> ==== No loaded_scripts.log
> 
>  
> 
>  
> 
>  
> 
> Scott Dawson
> ACNS Network Security
> 
> Colorado State University
> 970-297-3712
> 
>  
> 
> "chop wood carry water"
> 
>  
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list