[Bro] "broctl cron" running every 5 mins, and side effects
Glenn Forbes Fleming Larratt
gl89 at cornell.edu
Wed Sep 14 06:07:46 PDT 2016
Thanks!
At the recommendation of my sysadmins, I installed a caching nameserver
directly on my manager host - problem solved (for that host).
I haven't decided yet whether the workers should use the nameserver on the
manager, or each one should run his own, but I think that'll fix things.
-g
--
Glenn Forbes Fleming Larratt
Cornell University IT Security Office
On Sat, 3 Sep 2016, Azoff, Justin S wrote:
>
>> On Sep 2, 2016, at 9:35 AM, Glenn Forbes Fleming Larratt <gl89 at cornell.edu> wrote:
>>
>> Can anyone comment on what "broctl cron" is actually doing?
>>
>> My DNS admin reported to me that, at 5-minute intervals, my six bro hosts
>> (1x manager+proxy, 5 workers) are spewing DNS queries in the thousands,
>> all forward and reverse lookups of themselves and each other (sample
>> appended). It *seems* to be correlated in time with the running of "broctl
>> cron".
>>
>
> broctl cron primarily checks up on the workers via ssh.
>
> Are you using a bro version earlier than 2.4 ? 2.4 will make one connection per worker box, before that it made one connection for each worker process.
>
> What you are seeing looks like bro < 2.4 plus ssh having UseDns or VerifyReverseMapping enabled.
>
> It's also interesting that bro01 is not one of the names in the output, and bro05 appears 5% as often as 2,3,4 are.
>
>
> In general you should be running a local caching resolver (unbound,dnsmasq,etc). Things run better across the board when you are caching dns responses locally and not going out to the network for every lookup.
>
>
More information about the Bro
mailing list