[Bro] Network taps for Bro

Mike Patterson mike.patterson at uwaterloo.ca
Wed Aug 3 12:54:28 PDT 2016 

Depending on your actual load, you'll definitely need load balancing, whether or not you're plugged in directly. Depending on the NIC, there's various solutions - PF_RING drivers for various platforms (Intel X520 is popular), Endace DAG, Myricom - I probably left somebody out - that can do this for varying costs. DAG is fantastically expensive, but is kinda magic (except when it isn't, kernel upgrades can hose you). PF_RING is cheap - free for certain folks - but I find it a bit more annoying to configure and maintain than the DAG. Can't argue with the price though. I can't speak for the Myricom options, but I gather they're a middle ground - more expensive than X520 + PF_RING, much less expensive than a DAG. All perform reasonably well.

My own environment started out with a single Dell R710 with a DAG 9.2X2, into which I plugged a couple SPAN ports, merged them, then load balanced them back out again. For a while I ran both Snort and Bro on the same box. Later, I acquired an Arista 7150S and 720 with Intel gear, put my SPANs into that, then have it just merge my two inputs into single outputs on a couple of tap ports - an upgraded box contains the DAG for Bro, and the new 720 contains an X520 with PF_RING, which does similar load balancing for Snort. Be prepared to spend a certain amount of time up front configuring hardware + software just so. Having the Arista in the mix is nice because I can easily add more tap ports for a test environment, one-off snooping, that sort of thing.

Mike

-- 
The question, "Will a key with more bits give me better security?" is
a lot like the question, "Will more cylinders in my car engine make
me go faster?" - Jon Callas

> On Aug 3, 2016, at 15:39, Daniel Manzo <daniel.manzo at bayer.com> wrote:
> 
> It is a single 10G connection right now, but possibly expanding in the future. I’m just focusing on the single 10G at the moment, so I think I would be able to connect right to the bro box, like you mentioned. I’ll look more into tap aggregation/load-balancing later on.
>  
> Thanks,
> Daniel
>  
> From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Gary Faulkner
> Sent: Wednesday, August 03, 2016 3:29 PM
> To: bro at bro.org
> Subject: Re: [Bro] Network taps for Bro
>  
> Another thing to consider is if it is a single 10G connection you may be able to go right to the bro box from the tap, but if you have multiple 10G connections, or need to send the signal to monitoring tools on multiple boxes you may also need to look into a tap aggregator/ load-balancer as well. If the connection is running on a specific CWDM/DWDM wavelength you may also need to check that your NICs and/or tap aggregator support the proper optics as not all do.
> 
> ~Gary
> 
> On 8/3/16 2:02 PM, James Eyrich wrote:
> Bro doesnt care about any of that.
> The optics going into your tap aggregator or direct into to the bro
> nodes need to match what ever you are using for the connection
> same for the splitter
> regarding splitter ratios  - it depends what your light budget regarding
> the receive sensitivity on the ends of the actual connection and the
> optics feeding the bro system
> Off the top of my head I was thinking 50/50 is good for data center and
> 70/30 for WAN
> if you are running out of light once the splitter is in place you might
> have to move to higher powered optics all around.
>  
> One thing we ran into is some of the "lite" optics for use in data
> centers also have reduced sensitivity in addition to lower send power.
>  
> On 8/3/2016 1:37 PM, Daniel Manzo wrote:
>  
> Hi all,
>  
>  
>  
> My team is looking into using the Bro IDS for monitoring of a science
> DMZ with a 10 Gbps network. I was wondering how to choose which
> network tap(s) is necessary for this type of connection and if you
> have any recommendations/methods for setting up the hardware for Bro.
> I have been looking at the passive Ixia Flex taps, specifically the LC
> 10G SM 50/50 split tap. Will single mode (SM) versus multi-mode (MM)
> make a difference for Bro? And does Bro require a 50/50 ratio, or
> would I be able to get away with a different ratio?
>  
>  
>  
> Thanks for the help,
>  
> Daniel Manzo
>  
>  
>  
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>  
> 
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>  
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list