[Bro] Trying to get Bro to share Myricom cards with tcpdump or Snort
Michał Purzyński
michalpurzynski1 at gmail.com
Fri Mar 20 08:38:53 PDT 2015
>From my Bro's node.cfg - look at the "env_vars". I don't use the
multi-application mode but that is how you pass the variables to Bro
workers.
[nsm7-eth4]
type=worker
host=a.b.c.d
interface=eth4
lb_method=myricom
lb_procs=12
pin_cpus=1,2,3,4,5,6,7,8,9,10,11,12
env_vars=SNF_DEBUG_MASK=0x3,SNF_DESCRING_SIZE=4294967296,SNF_DATARING_SIZE=17179869184
For other applications you will most likely have the modify the SO
startup/stop scripts, putting variables just before the application is
started.
On Fri, Mar 20, 2015 at 4:31 PM, Glenn Forbes Fleming Larratt
<gl89 at cornell.edu> wrote:
> I am using the Sniffer10G driver, and in support of getting proof of
> concept, dropped the number of workers/host from 12 to 11 (we're actually
> RAM-limited because of the quantity of data we're trying to process).
>
> Abridged utput of myri_endpoint_info:
> The myri_snf driver is configured to support a maximum of:
> 160 endpoints per NIC, 32 NICs per host
> ===================================================================
> Endpoint PID Command Info
> <ether> none none
> 32 43305 bro rx handle (11 shared rings)
> 33 43304 bro rx handle (11 shared rings)
> 34 43300 bro rx handle (11 shared rings)
> 35 43302 bro rx handle (11 shared rings)
> 36 43307 bro rx handle (11 shared rings)
> 37 43303 bro rx handle (11 shared rings)
> 38 43301 bro rx handle (11 shared rings)
> 39 43306 bro rx handle (11 shared rings)
> 40 43308 bro rx handle (11 shared rings)
> 41 43310 bro rx handle (11 shared rings)
> 42 43309 bro rx handle (11 shared rings)
> 64 43306 bro rx ring 0
> 65 43305 bro rx ring 1
> 66 43307 bro rx ring 2
> 67 43303 bro rx ring 3
> 68 43302 bro rx ring 4
> 69 43308 bro rx ring 5
> 70 43309 bro rx ring 6
> 71 43301 bro rx ring 7
> 72 43300 bro rx ring 8
> 73 43310 bro rx ring 9
> 74 43304 bro rx ring 10
> There are currently 22 regular endpoints open
>
>
> --
> Glenn Forbes Fleming Larratt
> Cornell University IT Security Office
>
> On Fri, 20 Mar 2015, Brandon Lattin wrote:
>
>> Just to verify, you're using the Sniffer10G v3 driver, yes?
>> Assuming you are, keep in mind that each interface is still limited to 32
>> ring buffers (this is what got me). So
>> plan on running something like 16 for Bro and 16 for Snort/Suricata.
>>
>> On Fri, Mar 20, 2015 at 10:18 AM, Glenn Forbes Fleming Larratt
>> <gl89 at cornell.edu> wrote:
>> Folks,
>>
>> Can anyone point to a Bro+Snort HOWTO that would help me get Myricom
>> cards
>> to share?
>>
>> 1. Following the directions at
>>
>>
>> https://www.myricom.com/software/sniffer10g/995-how-can-i-direct-sniffer10g-traffic-to-multiple-applications-us
>> ing-snf-app-id.html
>>
>> doesn't really help, because my Bro deployment is a cluster, and the
>> environmental variables don't propagate to my worker hosts - in
>> fact,
>> /proc/{bro_pid}/environ is 0-length on all the processes on the
>> worker
>> hosts.
>>
>> 2. I tried to reverse-engineer how Security Onion does it, but I
>> didn't
>> really glean anything that would help.
>>
>> Thanks for any info,
>> --
>> Glenn Forbes Fleming Larratt
>> Cornell University IT Security Office
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
>>
>>
>> --
>> Brandon LattinSecurity Analyst
>> University of Minnesota - University Information Security
>> Office: 612-626-6672
>>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list