[Bro] Trying to get Bro to share Myricom cards with tcpdump or Snort
Glenn Forbes Fleming Larratt
gl89 at cornell.edu
Fri Mar 20 08:31:46 PDT 2015
I am using the Sniffer10G driver, and in support of getting proof of
concept, dropped the number of workers/host from 12 to 11 (we're actually
RAM-limited because of the quantity of data we're trying to process).
Abridged utput of myri_endpoint_info:
The myri_snf driver is configured to support a maximum of:
160 endpoints per NIC, 32 NICs per host
===================================================================
Endpoint PID Command Info
<ether> none none
32 43305 bro rx handle (11 shared rings)
33 43304 bro rx handle (11 shared rings)
34 43300 bro rx handle (11 shared rings)
35 43302 bro rx handle (11 shared rings)
36 43307 bro rx handle (11 shared rings)
37 43303 bro rx handle (11 shared rings)
38 43301 bro rx handle (11 shared rings)
39 43306 bro rx handle (11 shared rings)
40 43308 bro rx handle (11 shared rings)
41 43310 bro rx handle (11 shared rings)
42 43309 bro rx handle (11 shared rings)
64 43306 bro rx ring 0
65 43305 bro rx ring 1
66 43307 bro rx ring 2
67 43303 bro rx ring 3
68 43302 bro rx ring 4
69 43308 bro rx ring 5
70 43309 bro rx ring 6
71 43301 bro rx ring 7
72 43300 bro rx ring 8
73 43310 bro rx ring 9
74 43304 bro rx ring 10
There are currently 22 regular endpoints open
--
Glenn Forbes Fleming Larratt
Cornell University IT Security Office
On Fri, 20 Mar 2015, Brandon Lattin wrote:
> Just to verify, you're using the Sniffer10G v3 driver, yes?
> Assuming you are, keep in mind that each interface is still limited to 32 ring buffers (this is what got me). So
> plan on running something like 16 for Bro and 16 for Snort/Suricata.
>
> On Fri, Mar 20, 2015 at 10:18 AM, Glenn Forbes Fleming Larratt <gl89 at cornell.edu> wrote:
> Folks,
>
> Can anyone point to a Bro+Snort HOWTO that would help me get Myricom cards
> to share?
>
> 1. Following the directions at
>
> https://www.myricom.com/software/sniffer10g/995-how-can-i-direct-sniffer10g-traffic-to-multiple-applications-us
> ing-snf-app-id.html
>
> doesn't really help, because my Bro deployment is a cluster, and the
> environmental variables don't propagate to my worker hosts - in fact,
> /proc/{bro_pid}/environ is 0-length on all the processes on the worker
> hosts.
>
> 2. I tried to reverse-engineer how Security Onion does it, but I didn't
> really glean anything that would help.
>
> Thanks for any info,
> --
> Glenn Forbes Fleming Larratt
> Cornell University IT Security Office
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
>
> --
> Brandon LattinSecurity Analyst
> University of Minnesota - University Information Security
> Office: 612-626-6672
>
>
More information about the Bro
mailing list