[Zeek] ‘eth0 -i eth1’ makes half of conn.log count than ‘eth0’
김희철
hckim at narusec.com
Wed Aug 14 01:16:30 PDT 2019
Hi everyone
I am having configure issue.
In node.cfg , ‘eth0 -i eth1’ config makes half of conn.log count than ‘eth0’
there is no traffic in eth1, in live monitoring eth1 is standby.
I test this live traffic and pfsend with pcap file from other server
(pfsend is feeding only to eth0 port)
Because of circumstances I can not use bridge setup.
I must be missing something.
Could any one point me to right direction?
My setup is blow
Zeek(bro) server
cpu: Intel(R) Xeon(R) CPU E5-2650 X 2 (total 32 core)
ram: 64G
zeek(bro) 2.4.2 with pf_ring 7.5.0 (not a zc)
no extra zeek(bro) script
server has two monitoring port
eth0(active), eth1 (standby)
node.cfg 'eth0 -i eth1'
[manager]
type=manager
host=localhost
[proxy-1]
type=proxy
host=localhost
[proxy-2]
type=proxy
host=localhost
[monitor]
type=worker
host=localhost
interface='eth0 -i eth1'
lb_method=pf_ring
lb_procs=10
pin_cpus=1,2,3,4,5,6,7,8,9,10
node.cfg eth0
[manager]
type=manager
host=localhost
[proxy-1]
type=proxy
host=localhost
[proxy-2]
type=proxy
host=localhost
[monitor]
type=worker
host=localhost
interface=eth0
lb_method=pf_ring
lb_procs=10
pin_cpus=1,2,3,4,5,6,7,8,9,10
--
------------------------------------------------------
Hichul Kim 김희철 선임 연구원
Naru Security (주)나루씨큐리티
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190814/0f66e092/attachment.html
More information about the Zeek
mailing list