[Bro] First time Bro Cluster Spin up
Mike Patterson
mike.patterson at uwaterloo.ca
Tue Nov 18 12:34:34 PST 2014
Just FYI, I run a DAG 9.2 here - in the past, I’ve run into situations where a crashing worker (or Snort process) will “lock” its stream. I usually do a cold power off in those situations, as a reboot didn’t always seem to clear it. I don’t know if that’s what you ran into, but it’s something to keep in mind anyway.
It’s not clear to me - did you manage to get it working as non-root then?
Mike
--
Simple, clear purpose and principles give rise to complex and
intelligent behavior. Complex rules and regulations give rise
to simple and stupid behavior. - Dee Hock
> On Nov 18, 2014, at 2:22 PM, Dawson,Scottie <scottie.Dawson at colostate.edu> wrote:
>
> It was the Endace Capture card.
>
>
>
> scott
>
>
>
> "chop wood carry water"
>
>
>
> From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Dawson,Scottie
> Sent: Tuesday, November 18, 2014 7:17 AM
> To: bro at bro-ids.org
> Subject: Re: [Bro] First time Bro Cluster Spin up
>
>
>
> Thank you both John and Keith for the suggestions. I rebooted the server for good measure and re-ran the setcap command, with the same results in broctl.
>
>
>
> worker-21 terminated immediately after starting; check output with "diag"
>
>
>
> …..
>
>
>
> Diag worker-21
>
>
>
> …
>
> ….
>
> ==== stderr.log
>
> fatal error: /usr/local/bro/bin/bro: problem with interface dag0:42 - pcap_open_live: dag0:42: dag_open /dev/dag0: Permission denied
>
>
>
> …….
>
>
>
>
>
> Is anyone using an Endace card in there cluster? I am starting to suspect that the permissions issue has to do with how I am configuring and launching the capture card. I am going to reach out to their support organization and see if there is a way to launch the card as a non root user.
>
>
>
> I am sure I can get all this working with root but I am trying to avoid that.
>
>
>
> Thanks again
>
>
>
> scott
>
>
>
> "chop wood carry water"
>
>
>
> From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Dawson,Scottie
> Sent: Monday, November 17, 2014 1:05 PM
> To: bro at bro-ids.org
> Subject: [Bro] First time Bro Cluster Spin up
>
>
>
> Hi.
>
>
>
> I am attempting to get a Bro cluster working and I get the following error for all my workers, (full output of diag below). “fatal error: /usr/local/bro/bin/bro: problem with interface dag0:42 - pcap_open_live: dag0:42: dag_open /dev/dag0: Permission denied”
>
>
>
> Thoughts on what I am missing?
>
>
>
>
>
> Config:
>
> I have an Endace DAG8.1SX set up to run with 22 streams.
>
> 1 Server set up to have 22 instances of BRO workers on it
>
> 1 server set up as the manager and prox
>
> Using libpcap-1.6.2
>
> dag-5.2.0.
>
> bro version 2.3.1
>
>
>
>
>
>
>
> TS:
>
>
>
> 1. I have run the following command on both the worker and the manager/proxy servers.
>
>
>
> sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bro/bin/bro
>
>
>
> 2. I can launch bro manually on the worker if I use sudo
>
>
>
> acns-bro at endace:/usr/local/bro/bin$ sudo ./bro -i dag0:42
>
> listening on dag0:42, capture length 8192 bytes
>
>
>
> ^C1416254260.140036 received termination signal
>
> 1416254260.140036 209 packets received on interface dag0:42, 0 dropped
>
>
>
> 3. Manipulated the user launching bro (acns-bro) group permissions to be in the adm group
>
>
>
>
>
>
>
> FULL OUTPUT of DIAG:
>
> BroControl] > diag worker-21
>
> [worker-21]
>
>
>
> Bro 2.3.1
>
> Linux 3.13.0-39-generic
>
>
>
>
>
> ==== No reporter.log
>
>
>
> ==== stderr.log
>
> [dag_open] dag_clone dagfd for dagiom: Permission denied
>
> fatal error: /usr/local/bro/bin/bro: problem with interface dag0:42 - pcap_open_live: dag0:42: dag_open /dev/dag0: Permission denied
>
>
>
>
>
> ==== stdout.log
>
> max memory size (kbytes, -m) unlimited
>
> data seg size (kbytes, -d) unlimited
>
> virtual memory (kbytes, -v) unlimited
>
> core file size (blocks, -c) unlimited
>
>
>
> ==== .cmdline
>
> -i dag0:42 -U .status -p broctl -p broctl-live -p local -p worker-21 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
>
>
>
> ==== .env_vars
>
> PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
>
> BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site
>
> CLUSTER_NODE=worker-21
>
>
>
> ==== .status
>
> TERMINATED [atexit]
>
>
>
> ==== No prof.log
>
>
>
> ==== No packet_filter.log
>
>
>
> ==== No loaded_scripts.log
>
>
>
>
>
>
>
> Scott Dawson
> ACNS Network Security
>
> Colorado State University
> 970-297-3712
>
>
>
> "chop wood carry water"
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list