[Bro] Triplicate Entries in CONN Log
Philip Romero
promero at cenic.org
Wed Jan 3 12:49:31 PST 2018
Seth and Justin,
It looks to be working now. The latest change that was made was dropping
the pfring version from 7.0.0 to 6.6.0. That in combination with using
the "pfringclusterid = 11" setting in the broctl.cfg got it working
correctly. We're no longer seeing any multiple entries for the same
activity.
Thanks for all the help.
Philip
On 1/3/18 11:57 AM, Seth Hall wrote:
>
> On 3 Jan 2018, at 12:39, Philip Romero wrote:
>
>> Thanks for the troubleshooting code. It looks like only one interface is
>> getting the traffic, but all 4 cores assigned are processing the same
>> traffic individually. I'm still working with my Systems team on the
>> suggestion from Justin.
>
> Could you try removing all of the worker configs from node.cfg except
> for worker-4? I'm curious if there is something we did that is
> causing trouble for PF_Ring if multiple interfaces are being sniffed
> like that.
>
> .Seth
>
>
> --
> Seth Hall * Corelight, Inc * www.corelight.com
--
Philip Romero, CISSP, CISA
Sr. Information Security Analyst
CENIC
promero at cenic.org
Phone: (714) 220-3430
Mobile: (562) 237-9290
More information about the Bro
mailing list