[Zeek] "bro-cluster-in-a-box-setup" to "zeek-cluster-in-a-box-setup"?

Scott Wang scwang+bro at sfu.ca
Wed Feb 5 13:55:44 PST 2020 

At the Canarie workshop, Steve Smoot from Corelight suggested using pf_ring still. Any thoughts/comments on switching to af_packet? Advantages vs Disadvantages?

Regards,
Scott

> On Feb 05, 2020, at 12:48, Justin Azoff <justin at corelight.com> wrote:
> 
> Hi!
> 
> It shouldn't be that hard to update to 3.x.. 
> 
> - bro-pkg should be swapped out with the renamed zkg
> - the python2 references can likely be changed to 3
> - caf no longer needs to be installed separately
> - geoip and databases needs to be swapped out with maxminddb versions, might need a license
> - probably worth it to switch to af_packet from pf_ring.. pf_ring was only used initially to easily support capturing directly from both halves of a tap, which might not be a requirement anymore.
> 
> My schedule is a bit crazy for the next week, but once I have some time to work on it I should be able to get things updated pretty quickly.. There's really not much to it.
> 
> 
> 
> On Wed, Feb 5, 2020 at 12:38 PM Paul Sibley <Paul.Sibley at canarie.ca <mailto:Paul.Sibley at canarie.ca>> wrote:
> Hello Zeek Community,
> 
>  
> 
> I am working on a project where Zeek has been deployed in two phases.  During the first phase, some participants used “https://github.com/ncsa/bro-cluster-in-a-box-setup <https://github.com/ncsa/bro-cluster-in-a-box-setup>” script to assist in, and automate a lot of the installation process.
> 
> Since then we have entered the phase in our project where more participants have been added, CentOS 8 is preferred, and we are using Zeek 3.0.1.
> 
> I wonder if any consideration, or work has been done, in updating the bro-cluster-in-a-box script to work with the updated OS and Zeek version.  Any information would be appreciated.
> 
>  
> 
> Thanks in advance,
> 
> Paul Sibley
> 
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org <mailto:zeek at zeek.org>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek <http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek>
> 
> -- 
> Justin
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200205/d3903756/attachment.html

More information about the Zeek mailing list