[Bro] Best way to configure BRO IDS 2.4.1 to capture from a Quad port Network card
Ludwig Goon
lagoon7 at gmail.com
Thu May 26 13:57:01 PDT 2016
Thanks!
I figured that would work.
On Thu, May 26, 2016 at 4:40 PM, Aashish Sharma <asharma at lbl.gov> wrote:
> Ludwig,
>
> > that up in node.cfg and create 4 worker processes so that we can use
>
> yes!! You can use a cluster setup with assigned worker to each one of the
> interfaces. This works under assumption that your traffic is not bouncing
> around (ie part of it is on eth0 and remaining on eth2 )
>
> so node.cfg looks like this:
>
> [manager]
> type=manager
> host=hostname
>
> [proxy-1]
> type=proxy
> host=hostname
>
> [proxy-2]
> type=proxy
> host=hostname
>
> # (infrastructure)
> [worker-12]
> type=worker
> host=hostname
> interface=eth1
>
> # (development)
> [worker-13]
> type=worker
> host=hostname
> interface=eth2
>
> # main office)
> [worker-14]
> type=worker
> host=hostname
> interface=eth3
>
> once setup you can use broctl install, stop deploy commands.
>
> On Thu, May 26, 2016 at 04:15:36PM -0400, Ludwig Goon wrote:
> > Hi were are using Dell R230's with an additional quad port card for
> network
> > captures, streaming in traffic from our NetOptics Taps. On bro 2.4.1 what
> > is the best way to configure it to listed on all 4 interfaces? Would we
> set
> > that up in node.cfg and create 4 worker processes so that we can use
> > broctl? Or can we specify it in BRO_CAPTURE_INTERFACE=" eth2 eth3 eth4
> > eth5". Or is there a command line bro with options?
> > Is PF_RING needed?
>
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160526/0966017b/attachment.html
More information about the Bro
mailing list