[Bro] Trying to get Bro to share Myricom cards with tcpdump or Snort

Aashish Sharma asharma at lbl.gov
Fri Mar 20 08:34:57 PDT 2015


Hello Glenn:

(You'd need myricom sniffer V3 drivers inorder to run multiple applications. V2 only allows one application to listen. ) 

for Bro workers: 

Try setting your worker nodes like the following:

[worker-1]
type=worker
host=bro-worker.site.edu 
interface=myri0
lb_method=myricom
lb_procs=10
pin_cpus=3,5,7,9,11,13,15,17,19,21
env_vars="LD_LIBRARY_PATH=/usr/local/opt/snf/lib:$PATH SNF_DATARING_SIZE=0x20000000 SNF_NUM_RINGS=10 SNF_FLAGS=0x1"


- Also, I have put the following in broctl.cfg :

env_vars="LD_LIBRARY_PATH=/usr/local/opt/snf/lib"


- And have LD_LIBRARY_PATH=/usr/local/opt/snf/lib in my .bash_profile of bro user. 

(depending on what shell you are using)


This config works quite alright. Others can chimein if they have a more optimal config. 

Oh btw, CPU numbering is different on FreeBSD vs linux so depending on your OS, make sure you are running a worker on each core, instead of 2 workers on core+hyperthread leaving buch of other cores free. Above pin_cpu scheme is for FreeBSD. I believe linux is 1,2,3,4,5,6,7...... (not sure). 

Hope this helps. 

Thanks, 
Aashish 


On Fri, Mar 20, 2015 at 11:18:29AM -0400, Glenn Forbes Fleming Larratt wrote:
> Folks,
> 
> Can anyone point to a Bro+Snort HOWTO that would help me get Myricom cards 
> to share?
> 
> 1. Following the directions at
> 
>    https://www.myricom.com/software/sniffer10g/995-how-can-i-direct-sniffer10g-traffic-to-multiple-applications-using-snf-app-id.html
> 
> doesn't really help, because my Bro deployment is a cluster, and the 
> environmental variables don't propagate to my worker hosts - in fact,
> /proc/{bro_pid}/environ is 0-length on all the processes on the worker 
> hosts.
> 
> 2. I tried to reverse-engineer how Security Onion does it, but I didn't 
> really glean anything that would help.
> 
> Thanks for any info,
> -- 
> Glenn Forbes Fleming Larratt
> Cornell University IT Security Office
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-- 
Aashish Sharma	(asharma at lbl.gov) 				 
Cyber Security, 
Lawrence Berkeley National Laboratory  
http://go.lbl.gov/pgp-aashish 
Office: (510)-495-2680  Cell: (510)-612-7971


More information about the Bro mailing list