[Bro] New Cluster configuration

M P mpselab at gmail.com
Thu Oct 6 07:49:31 PDT 2016 

Hello Michal,

Would you mind elaborating more, please? I am not trying to hijack the
thread but more interested in the suggestion. Any pointers are welcome.

MP.

On Wednesday, October 5, 2016, Michał Purzyński <michalpurzynski1 at gmail.com>
wrote:

> Also, use a modern kernel and afpacket rather then pfring.
>
> > On 5 Oct 2016, at 14:25, Seth Hall <seth at icir.org <javascript:;>> wrote:
> >
> >
> >> On Sep 30, 2016, at 3:56 AM, John Edwards <jedwards2728 at gmail.com
> <javascript:;>> wrote:
> >>
> >> So PF_RING as the front end, then a manager and proxy but each worker
> defined within the Cluster worker config as the same host but different
> interfaces.
> >>
> >> Or should i suggest getting additional hardware and splitting the
> interfaces? it seems a little silly that one worker can only monitor one
> interface i thought. thats why i thought id ask here first.
> >
> > You should be able to do what you're attempting to do on a single
> system.  You could configure multiple workers, each sniffing a bridge
> interface and load balancing.
> >
> > Probably something like this, but with an appropriate number of
> processes for your system....
> >
> > [worker-1]
> > host=localhost
> > type=worker
> > interface=br0
> > lb_method=pf_ring
> > lb_procs=4
> >
> > [worker-2]
> > host=localhost
> > type=worker
> > interface=br1
> > lb_method=pf_ring
> > lb_procs=4
> >
> > Your logs will be a bit repetitive though since it sounds like you're
> monitoring inside and outside of a NATing router.
> >
> >  .Seth
> >
> > --
> > Seth Hall
> > International Computer Science Institute
> > (Bro) because everyone has a network
> > http://www.bro.org/
> >
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org <javascript:;>
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org <javascript:;>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161006/8646a141/attachment.html

More information about the Bro mailing list