[Bro] RHEL7 and AF_PACKET

Ditch, Derek derek.ditch at criticalstack.com
Fri Dec 9 15:57:27 PST 2016 

Erik,

Is this in response to your earlier post regarding AF_PACKET plugin on 6.8?  I use AF_PACKET w/ Bro 2.5 on CentOS 7 and RHEL 7.2 every day, in production, using the default production kernel of 3.10.

While kernel 3.10 is the minimum to support functional AF_PACKET, more recent patches have improved performance, fixed bugs, etc. The often-misunderstood notion, however, is that RHEL uses an (relatively) ancient kernel in 3.10. However, Red Hat backports patches and have been pretty responsive to my interactions with them.

To be clear, AF_PACKET on RHEL7 and CentOS7 work extremely well w/ Bro 2.5 and the af_packet plugin. It will not, however, work under RHEL 6 because it uses the 2.x kernel.

-Derek


From: <bro-bounces at bro.org> on behalf of erik clark <philosnef at gmail.com>
Date: Wednesday, December 7, 2016 at 06:34
To: Bro-IDS <bro at bro.org>
Subject: [Bro] RHEL7 and AF_PACKET

Short answer: No, AF_PACKET will not work with RHEL7. The long of it, from RedHat direct, is:

---
The eb70db875 fix is included in upstream v4.7 so if you need this feature at the cost of everything else, you could use ELRepo's kernel-ml package of v4.7 or later. I tested their kernel-ml-4.8.12-1.el7.elrepo, recompiled the go application, and the test passes fine.
---


I am working with RH on this, and maybe with luck it will make it into RH7.4. I will keep everyone posted. :)


Erik
________________________________________________________

The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161209/de0e0321/attachment.html

More information about the Bro mailing list