[Bro] bro cluster and load balancers
Jan Grashöfer
jan.grashoefer at gmail.com
Tue Oct 11 04:43:46 PDT 2016
> and I load balance between the two worker nodes, how, if at all, does the
> manager know if a session is split across multiple worker nodes? The worker
> nodes (as mentioned before) would have to spit considerable amounts of
> traffic information back up to the manager node. My load balancer uses 5
> tuples to determine where to send traffic for a given session.
I guess by session you mean connection: If your load balancer uses
5-tuples *symmetrically* there shouldn't be any split connection.
Accordingly each connection can be analyzed by a worker without
interaction with other nodes. State that is shared across the cluster
depends on the scripts (e.g., scan.bro), which build upon the events
spit out by the analyzers. So there is no need to send traffic to other
nodes of the cluster.
Jan
More information about the Bro
mailing list