[Bro] Bro and APCON

Josh Guild josh.guild at morphick.com
Thu Apr 21 07:30:32 PDT 2016


Hi Dave,

We bypassed the APCON in one of the environments and it helped a little
with capture loss (about a 10% drop) and errors in the weird.log.
Unfortunately, this was during a weekend so it's tough to say how much of
an impact it made. Another network we're in fixed some load balancing
issues upstream and this help significantly with loss (though weird.logs
remain about where they were). I think the APCON may have been a red
herring in this instance but I'd be curious to see how your network looks
before and after implementation if you'd like to keep in touch.

The main things I've been looking at are capture loss and weird.log errors
(specifically HTTP_version_mismatch, SYN_seq_jump,
TCP_seq_underflow_or_misorder) these may lean towards traffic being
mangled. This presentation is pretty helpful in showing you what to look
for:
https://speakerdeck.com/vladg/bro-deployment-verification-and-troubleshooting

Thanks!

On Thu, Apr 21, 2016 at 10:08 AM, Dave Crawford <dave at pingtrip.com> wrote:

> Josh,
>
> Were you able to solve this issue? We just started swapping out our
> current solution with Apcon’s and wondering if we’ll run into the same
> issue.
>
> -Dave
>
> On Apr 7, 2016, at 2:39 PM, Josh Guild <josh.guild at morphick.com> wrote:
>
> Hi all,
>
> We have a few deployments that utilize an APCON for traffic aggregation.
> We've noticed in these environments that Bro has trouble reassembling the
> traffic correctly and there is a significant amount of capture loss (based
> on the script). We've tried different hashing algorithms on the APCON to no
> effect.
>
> Has anyone else seen anything similar to this or have any insight?
>
> Thanks!
>
> --
> Josh Guild
> Network Intelligence Analyst
> <https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>


-- 
Josh Guild
Network Intelligence Analyst
<https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160421/de09b33a/attachment.html 


More information about the Bro mailing list