[Bro] Trying to get Bro to share Myricom cards with tcpdump or Snort
Brandon Lattin
latt0050 at umn.edu
Fri Mar 20 08:24:44 PDT 2015
Just to verify, you're using the Sniffer10G v3 driver, yes?
Assuming you are, keep in mind that each interface is still limited to 32
ring buffers (this is what got me). So plan on running something like 16
for Bro and 16 for Snort/Suricata.
On Fri, Mar 20, 2015 at 10:18 AM, Glenn Forbes Fleming Larratt <
gl89 at cornell.edu> wrote:
> Folks,
>
> Can anyone point to a Bro+Snort HOWTO that would help me get Myricom cards
> to share?
>
> 1. Following the directions at
>
>
> https://www.myricom.com/software/sniffer10g/995-how-can-i-direct-sniffer10g-traffic-to-multiple-applications-using-snf-app-id.html
>
> doesn't really help, because my Bro deployment is a cluster, and the
> environmental variables don't propagate to my worker hosts - in fact,
> /proc/{bro_pid}/environ is 0-length on all the processes on the worker
> hosts.
>
> 2. I tried to reverse-engineer how Security Onion does it, but I didn't
> really glean anything that would help.
>
> Thanks for any info,
> --
> Glenn Forbes Fleming Larratt
> Cornell University IT Security Office
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
--
Brandon Lattin
Security Analyst
University of Minnesota - University Information Security
Office: 612-626-6672
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150320/e37da3b3/attachment.html
More information about the Bro
mailing list