[Bro] New Cluster configuration
Michał Purzyński
michalpurzynski1 at gmail.com
Wed Oct 5 13:34:57 PDT 2016
Also, use a modern kernel and afpacket rather then pfring.
> On 5 Oct 2016, at 14:25, Seth Hall <seth at icir.org> wrote:
>
>
>> On Sep 30, 2016, at 3:56 AM, John Edwards <jedwards2728 at gmail.com> wrote:
>>
>> So PF_RING as the front end, then a manager and proxy but each worker defined within the Cluster worker config as the same host but different interfaces.
>>
>> Or should i suggest getting additional hardware and splitting the interfaces? it seems a little silly that one worker can only monitor one interface i thought. thats why i thought id ask here first.
>
> You should be able to do what you're attempting to do on a single system. You could configure multiple workers, each sniffing a bridge interface and load balancing.
>
> Probably something like this, but with an appropriate number of processes for your system....
>
> [worker-1]
> host=localhost
> type=worker
> interface=br0
> lb_method=pf_ring
> lb_procs=4
>
> [worker-2]
> host=localhost
> type=worker
> interface=br1
> lb_method=pf_ring
> lb_procs=4
>
> Your logs will be a bit repetitive though since it sounds like you're monitoring inside and outside of a NATing router.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list