[Bro] New Cluster configuration
Seth Hall
seth at icir.org
Wed Oct 5 05:25:02 PDT 2016
> On Sep 30, 2016, at 3:56 AM, John Edwards <jedwards2728 at gmail.com> wrote:
>
> So PF_RING as the front end, then a manager and proxy but each worker defined within the Cluster worker config as the same host but different interfaces.
>
> Or should i suggest getting additional hardware and splitting the interfaces? it seems a little silly that one worker can only monitor one interface i thought. thats why i thought id ask here first.
You should be able to do what you're attempting to do on a single system. You could configure multiple workers, each sniffing a bridge interface and load balancing.
Probably something like this, but with an appropriate number of processes for your system....
[worker-1]
host=localhost
type=worker
interface=br0
lb_method=pf_ring
lb_procs=4
[worker-2]
host=localhost
type=worker
interface=br1
lb_method=pf_ring
lb_procs=4
Your logs will be a bit repetitive though since it sounds like you're monitoring inside and outside of a NATing router.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list