[Bro] New Cluster configuration

John Edwards jedwards2728 at gmail.com
Fri Sep 30 00:56:12 PDT 2016


Hi everyone

Today successfully installed Bro as a standalone worker on an ubuntu
system, it has 16cores, 8GB ram (can be expanded) and about 2TB of disk.
Its receiving traffic from a passive fibre network interface.

The interface configuration is as follows

br0 - bridged interface
p1p1 - RX of fibre
p1p2 - TX of fibre

br1 - Bridged interface
p2p1 - RX of fibre
p2p2 - TX of fibre

So i have br0 configured and being monitored correctly. br0 is monitoring
one part of the network up towards public facing infrastructure and br1 is
monitoring more local stuff so its not NAT'd and closer to the hosts.

As it is one physical system with 2 interfaces what is the best way for my
to monitor both feeds and log it correctly. All of my logs are being fed
into a SIEM with JSON output.

Can i have separate roles configured on the one physical system and each
interface being defined as a separate worker?

So PF_RING as the front end, then a manager and proxy but each worker
defined within the Cluster worker config as the same host but different
interfaces.

Or should i suggest getting additional hardware and splitting the
interfaces? it seems a little silly that one worker can only monitor one
interface i thought. thats why i thought id ask here first.

Thanks,
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160930/26a73e00/attachment.html 


More information about the Bro mailing list