[Bro] Trying to get Bro to share Myricom cards with tcpdump or Snort

Glenn Forbes Fleming Larratt gl89 at cornell.edu
Fri Mar 20 08:31:46 PDT 2015 

I am using the Sniffer10G driver, and in support of getting proof of 
concept, dropped the number of workers/host from 12 to 11 (we're actually 
RAM-limited because of the quantity of data we're trying to process).

Abridged utput of myri_endpoint_info:
The myri_snf driver is configured to support a maximum of:
         160 endpoints per NIC, 32 NICs per host
===================================================================
Endpoint         PID             Command                 Info
<ether>         none            none
32              43305           bro             rx handle (11 shared rings)
33              43304           bro             rx handle (11 shared rings)
34              43300           bro             rx handle (11 shared rings)
35              43302           bro             rx handle (11 shared rings)
36              43307           bro             rx handle (11 shared rings)
37              43303           bro             rx handle (11 shared rings)
38              43301           bro             rx handle (11 shared rings)
39              43306           bro             rx handle (11 shared rings)
40              43308           bro             rx handle (11 shared rings)
41              43310           bro             rx handle (11 shared rings)
42              43309           bro             rx handle (11 shared rings)
64              43306           bro             rx ring 0
65              43305           bro             rx ring 1
66              43307           bro             rx ring 2
67              43303           bro             rx ring 3
68              43302           bro             rx ring 4
69              43308           bro             rx ring 5
70              43309           bro             rx ring 6
71              43301           bro             rx ring 7
72              43300           bro             rx ring 8
73              43310           bro             rx ring 9
74              43304           bro             rx ring 10
There are currently 22 regular endpoints open


-- 
Glenn Forbes Fleming Larratt
Cornell University IT Security Office

On Fri, 20 Mar 2015, Brandon Lattin wrote:

> Just to verify, you're using the Sniffer10G v3 driver, yes?
> Assuming you are, keep in mind that each interface is still limited to 32 ring buffers (this is what got me). So
> plan on running something like 16 for Bro and 16 for Snort/Suricata. 
> 
> On Fri, Mar 20, 2015 at 10:18 AM, Glenn Forbes Fleming Larratt <gl89 at cornell.edu> wrote:
>       Folks,
>
>       Can anyone point to a Bro+Snort HOWTO that would help me get Myricom cards
>       to share?
>
>       1. Following the directions at
>
>         https://www.myricom.com/software/sniffer10g/995-how-can-i-direct-sniffer10g-traffic-to-multiple-applications-us
>       ing-snf-app-id.html
>
>       doesn't really help, because my Bro deployment is a cluster, and the
>       environmental variables don't propagate to my worker hosts - in fact,
>       /proc/{bro_pid}/environ is 0-length on all the processes on the worker
>       hosts.
>
>       2. I tried to reverse-engineer how Security Onion does it, but I didn't
>       really glean anything that would help.
>
>       Thanks for any info,
>       --
>       Glenn Forbes Fleming Larratt
>       Cornell University IT Security Office
>       _______________________________________________
>       Bro mailing list
>       bro at bro-ids.org
>       http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
> 
> 
> 
> --
> Brandon LattinSecurity Analyst
> University of Minnesota - University Information Security
> Office: 612-626-6672
> 
>

More information about the Bro mailing list