[Bro] Question about duplicate traffic with load balancing and SSH::Password_Guessing
Azoff, Justin S
jazoff at illinois.edu
Fri Apr 21 08:17:40 PDT 2017
> On Apr 21, 2017, at 10:49 AM, Eric Hacecky <hacecky at jlab.org> wrote:
>
> My load balancing setup:
>
> lb_method=myricom
> lb_procs=31
>
> This is a single box with 32 cores.
>
> ----------------
>
> This brings up two questions.
>
> Why is SSH:Password_Guessing generating a notice when auth_success is True?
>
> Is this expected behavior with my load balancing setup? That the same connection is fed to all 31 cores?
In order for that configuration to work you need to have the myricom SNF drivers and pcap library installed, and bro must be using that pcap library.
If you are seeing the same connection logged 31 times then you are DEFINITELY not using the myricom provided pcap library.
If the myricom pcap library is not referenced in /etc/ld.so.conf or similar, you'll need something like this under the worker node:
[worker]
host=whatever
interface=p1p1
lb_method=myricom
lb_procs=31
env_vars=LD_PRELOAD=/opt/snf/lib/libsnf.so.0:/opt/snf/lib/libpcap.so.1,SNF_APP_ID=1
--
- Justin Azoff
More information about the Bro
mailing list