[Bro] Best way to configure BRO IDS 2.4.1 to capture from a Quad port Network card
Aashish Sharma
asharma at lbl.gov
Thu May 26 13:40:08 PDT 2016
Ludwig,
> that up in node.cfg and create 4 worker processes so that we can use
yes!! You can use a cluster setup with assigned worker to each one of the interfaces. This works under assumption that your traffic is not bouncing around (ie part of it is on eth0 and remaining on eth2 )
so node.cfg looks like this:
[manager]
type=manager
host=hostname
[proxy-1]
type=proxy
host=hostname
[proxy-2]
type=proxy
host=hostname
# (infrastructure)
[worker-12]
type=worker
host=hostname
interface=eth1
# (development)
[worker-13]
type=worker
host=hostname
interface=eth2
# main office)
[worker-14]
type=worker
host=hostname
interface=eth3
once setup you can use broctl install, stop deploy commands.
On Thu, May 26, 2016 at 04:15:36PM -0400, Ludwig Goon wrote:
> Hi were are using Dell R230's with an additional quad port card for network
> captures, streaming in traffic from our NetOptics Taps. On bro 2.4.1 what
> is the best way to configure it to listed on all 4 interfaces? Would we set
> that up in node.cfg and create 4 worker processes so that we can use
> broctl? Or can we specify it in BRO_CAPTURE_INTERFACE=" eth2 eth3 eth4
> eth5". Or is there a command line bro with options?
> Is PF_RING needed?
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list