[Bro] Trying to get Bro to share Myricom cards with tcpdump or Snort
Aashish Sharma
asharma at lbl.gov
Fri Mar 20 08:34:57 PDT 2015
Hello Glenn:
(You'd need myricom sniffer V3 drivers inorder to run multiple applications. V2 only allows one application to listen. )
for Bro workers:
Try setting your worker nodes like the following:
[worker-1]
type=worker
host=bro-worker.site.edu
interface=myri0
lb_method=myricom
lb_procs=10
pin_cpus=3,5,7,9,11,13,15,17,19,21
env_vars="LD_LIBRARY_PATH=/usr/local/opt/snf/lib:$PATH SNF_DATARING_SIZE=0x20000000 SNF_NUM_RINGS=10 SNF_FLAGS=0x1"
- Also, I have put the following in broctl.cfg :
env_vars="LD_LIBRARY_PATH=/usr/local/opt/snf/lib"
- And have LD_LIBRARY_PATH=/usr/local/opt/snf/lib in my .bash_profile of bro user.
(depending on what shell you are using)
This config works quite alright. Others can chimein if they have a more optimal config.
Oh btw, CPU numbering is different on FreeBSD vs linux so depending on your OS, make sure you are running a worker on each core, instead of 2 workers on core+hyperthread leaving buch of other cores free. Above pin_cpu scheme is for FreeBSD. I believe linux is 1,2,3,4,5,6,7...... (not sure).
Hope this helps.
Thanks,
Aashish
On Fri, Mar 20, 2015 at 11:18:29AM -0400, Glenn Forbes Fleming Larratt wrote:
> Folks,
>
> Can anyone point to a Bro+Snort HOWTO that would help me get Myricom cards
> to share?
>
> 1. Following the directions at
>
> https://www.myricom.com/software/sniffer10g/995-how-can-i-direct-sniffer10g-traffic-to-multiple-applications-using-snf-app-id.html
>
> doesn't really help, because my Bro deployment is a cluster, and the
> environmental variables don't propagate to my worker hosts - in fact,
> /proc/{bro_pid}/environ is 0-length on all the processes on the worker
> hosts.
>
> 2. I tried to reverse-engineer how Security Onion does it, but I didn't
> really glean anything that would help.
>
> Thanks for any info,
> --
> Glenn Forbes Fleming Larratt
> Cornell University IT Security Office
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Aashish Sharma (asharma at lbl.gov)
Cyber Security,
Lawrence Berkeley National Laboratory
http://go.lbl.gov/pgp-aashish
Office: (510)-495-2680 Cell: (510)-612-7971
More information about the Bro
mailing list