[Zeek] How to configure multiple interfaces

Xavier Gonzalez xavi at opennac.org
Tue Sep 3 01:20:57 PDT 2019


Hi Justin and Raphael,

Very good point and very interesting issue. Some questions….

What does exactly do bro-pf_ring?
What does “best results” mean?
Is it mandatory to use bro + pf_ring?
If not what features are added?

Thanks in advance,

Xavier Gonzalez
CTO & Co-founder
http://opennac.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__opencloudfactory.com_&d=DwMGaQ&c=57MOrb6NxZaYVa4uifS2UQ&r=7STsfyeMyac_1IFIgIS-WjdEirYO1GtwQ7VrUHTtpro&m=T67RemaYW12KUf2SFwdenG64ItIBu5RK6K_Iw51jv2U&s=-eQ9-r22Kp9xiDrpGjPtHV9AfU7tpjiF3EVDFkpQTm8&e=>
http://opencloudfactory.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__opencloudfactory.com_&d=DwMGaQ&c=57MOrb6NxZaYVa4uifS2UQ&r=7STsfyeMyac_1IFIgIS-WjdEirYO1GtwQ7VrUHTtpro&m=T67RemaYW12KUf2SFwdenG64ItIBu5RK6K_Iw51jv2U&s=-eQ9-r22Kp9xiDrpGjPtHV9AfU7tpjiF3EVDFkpQTm8&e=>
follow us: @opennac<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_opennac&d=DwMGaQ&c=57MOrb6NxZaYVa4uifS2UQ&r=7STsfyeMyac_1IFIgIS-WjdEirYO1GtwQ7VrUHTtpro&m=T67RemaYW12KUf2SFwdenG64ItIBu5RK6K_Iw51jv2U&s=Ue3qSgS7Wi6D-MiqHN_1d9FvO2A8XphTHeO9wdDIWwI&e=> @viapps<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_viapps&d=DwMGaQ&c=57MOrb6NxZaYVa4uifS2UQ&r=7STsfyeMyac_1IFIgIS-WjdEirYO1GtwQ7VrUHTtpro&m=T67RemaYW12KUf2SFwdenG64ItIBu5RK6K_Iw51jv2U&s=8TMKueanTMJrW8fDMeZ89hkHjOkTQAJTL0hWy8A9rN0&e=>

From: "zeek-bounces at zeek.org" <zeek-bounces at zeek.org> on behalf of Justin Azoff <justin at corelight.com>
Date: Tuesday, 3 September 2019 at 03:48
To: Raphael Shin <hkshin98 at gmail.com>
Cc: zeek <zeek at zeek.org>
Subject: Re: [Zeek] How to configure multiple interfaces

Install https://github.com/ntop/bro-pf_ring in general for best results.

Use

interface=pf_ring::p1p1,p1p2

On Mon, Sep 2, 2019 at 9:32 PM Raphael Shin <hkshin98 at gmail.com<mailto:hkshin98 at gmail.com>> wrote:
Hi,

I am installing Bro on Redhat OS.

My Bro machine has two interfaces.
 - Interface#1(p1p1) : Server farm inbound traffic
 - Interface#2(p1p2) : Server farm outbound traffic

I configured two interfaces with pf_ring.

node.cfg file is as follows.

----------------------------
[logger]
type=logger
host=localhost

[manager]
type=manager
host=localhost

[proxy-1]
type=proxy
host=localhost

[worker-1]
type=worker
host=localhost
interface=p1p1
lb_method=pf_ring
lb_procs=2
pin_cpus=8,9

[worker-2]
type=worker
host=localhost
interface=p1p2
lb_method=pf_ring
lb_procs=2
pin_cpus=10,11
----------------------------


but, I had wrong connection information.

Most conn_state is SH or SHR in the conn.log file.

How can I configure the node.cfg file?

Thanks,
Raphael
_______________________________________________
Zeek mailing list
zeek at zeek.org<mailto:zeek at zeek.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek


--
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190903/cd2a1b7c/attachment-0001.html 


More information about the Zeek mailing list